Gal Ringel, CEO & co-founder of Mine

GDPR was the beginning of a privacy revolution - introduced in Europe on the 25th of May 2018. Since its implementation three years ago, individuals have, in theory, been able to reclaim their personal data and gain control over their digital footprint. The 99 articles that make up GDPR protect all of the following types of data: personal information such as names, addresses, and social security numbers; web data such as locations, IP addresses, and cookies; health, genetic and biometric data; racial and ethnic data and people's political opinions.

When it was initially introduced, people weren’t sure if the GDPR was going to stick. Three years later, we can now say that it not only stuck but created a worldwide wave of privacy regulations with more and more countries creating similar data privacy legislation - for example, the CCPA in California and LGPD in Brazil. In this article, I will look back at the successes and limitations of GDPR to date and explore what changes have come from Brexit. With these changes and some limitations of the GDPR in mind, I will answer the question - what will it take for GDPR to be completely ‘future-proof’?

The successes and downfalls of GDPR

My view is that by-and-large the GDPR has done a fantastic job raising awareness of the importance of personal data privacy and triggered a real change in how organizations globally treat consumer data. Firstly, the standardization of data protection means that across Europe, nations are required to meet similar standards audited by independent agencies. Creating a unified standard for data protection allows individuals to universally feel protected and take control of their data.

When it comes to taking back control of personal data, the GDPR has opened up the doorway to empowering consumers in Europe and has also created a worldwide wave of awareness and inspired regulations worldwide. At Mine, we’ve seen firsthand that people care about data ownership, with over 225,000 consumers taking back control over their data by sending over three million data reclaim requests. For consumers, this control also means that they can drastically reduce the potential risk of a data breach by minimizing their digital footprint.

However, there’s also room for criticism. The GDPR can be very complicated, making it challenging for the average person to use it to their benefit without the tools and guidance to make it more accessible. Before Mine was founded, there was no easy way to discover who has access to your data, take control of your digital footprint or reclaim your data (send right-to-be-forgotten requests) in an accessible, streamlined way. In the first instance, knowing what the GDPR entails, including the right to access your data and the “right to be forgotten,” is important to tackle the next question of “how do I actually implement this?”. That said, I encourage consumers to keep their finger on the pulse on their rights around data protection and how big changes, like Brexit, will impact them.

How changes to GDPR as a result of Brexit will affect consumers

While Britain is no longer part of the EU, its GDPR standard still incorporates the EU’s requirements from the 2018 GDPR implementation. However, some differences will affect consumers with the UK GDPR, including the definition of personal data, child consent ages, and data subject rights. Consumers should be aware of several factors that have changed since the introduction of the UK’s GDPR. This is more important than ever, considering we found in our research that digital footprints have increased by an average of 55% during the pandemic.

Important changes:

  1. The child consent age in UK GDPR will be lowered from 16 to 13.
  2. Personal data has a more limited definition under UK GDPR.
  3. UK organizations will not need official authority to process criminal data.
  4. There is an exemption from GDPR if the processing of personal data is of public interest.
  5. Data subject rights can be waived if they significantly inhibit an organization’s need to process data for scientific, historical, statistical, or archiving purposes.
  6. If companies continue to trade in the EU, they will need to appoint a European representative and lead supervisory authority in the EU.

Making GDPR future-proof

Looking back, we can say that the presence of GDPR has been groundbreaking in terms of its goal to give people back rights over their data. In terms of improvement, it’s not the regulation itself that needs changing, but rather its implementation. I believe governments' role in ensuring companies comply with these laws is very important. Taking action against those who do not comply will be an essential part of the GDPRs success in the future and key to making sure consumers maintain their right to be forgotten - i.e., the right for their data to be deleted. A good example of the importance of this is the updated CPRA in California which appoints a special Privacy Protection Agency to ensure that the laws can actually be enforced.

If GDPR is going to be fully ‘future proof’, rules should be made more accessible for businesses to implement. We’ve seen this at Mine, having facilitated millions of deletion requests sent by our users that have reached over 250,000 unique companies. Many of these companies came back to us asking for help in handling and managing these requests in a better way. This is why we’ve created a Data Privacy Rights suite. This will help companies handle their privacy requests faster and streamline their users’ data privacy to make it easier to comply with privacy regulations and, in doing so, increase their brand trust.

What’s next?

In the years ahead, we will see consumers continue to scope out and choose companies that provide them with transparency, easy access, and control over their data. As a result, putting data privacy as a priority will become a brand necessity. Because the GDPR is growing in importance, I believe we will see the importance of data privacy expanding within businesses, no matter their size. It will take on a much bigger meaning with the growing realization that it affects more than just the data, privacy, and legal departments of companies - but also a company’s brand reputation, trust, and bottom line. In short, we are three years in, and this is only the beginning. Privacy regulations are going to change the digital world as we know it.

And what about Israel?

We are currently marking three years since one of the largest and most significant revolutions in the field of data privacy. Yet, in Israel, we are celebrating these days after a year that hasn’t been easy for the data privacy of many Israeli citizens. Following Covid-19, more data than ever was collected, and we also saw various big data breaches that put the data of consumers in the wrong hands. The data privacy of consumers in Israel will continue to suffer without government intervention, since the right to privacy is enshrined in the Basic Law of Human Dignity and Liberty, but there is an inconceivable gap between the constitutional status of this right in Israel and its actual exercise by the government.

In Israel, regulation is moving very slowly, unlike other areas in which we lead and thrive. We haven’t made any big changes to our privacy rights since the 70s and 80s of the last century. It’s time for Israel to align the law with the GDPR and the worldwide privacy regulations trend and make companies more accountable. For example, in the case of Shirbit, the Israeli Insurance company, if there was an appropriate law, the company would get a hefty fine, which would cause the entire market in Israel to take cyber and security more seriously. As long as there is no legislation here, the Israeli consumer is left without proper protection. We as consumers should be more proactive and demand to get more rights so we can rightfully claim back ownership of our data.