GDPR in 2021: Key Updates and Implications for Data Strategies
In 2021, the European Commission introduced changes to the GDPR that are intended to further enhance the effectiveness of the law. This article looks at the changes and how they can affect everyday business activities.
- By Milica Vojnic
- August 13, 2021
Broadened Definition of Joint Controller
Joint controller is not a new concept in the GDPR. In fact, it has been part of the law since its inception in 2018. However, the definition for the term “joint controller” has been updated as part of the changes to the GDPR.
A joint controller refers to a situation where two or more persons or entities are in charge of the collection and protection of customer data. These joint controllers -- data owners, really -- determine together why and how to process personal data. Joint controllers will often have a shared objective and shared purposes. They are fully and independently responsible for the correct handling of customer data. In the event of non-compliance with any GDPR provisions, both data controllers can be held responsible and face possible sanctions.
The joint controller relationship arises more commonly than many people realize, however. For example, a simple activity such as managing a company’s social media presence or displaying a social media plugin on your website makes you a joint controller with that social media network.
Removal of the Privacy Shield
The GDPR’s so-called privacy shield was intended to make it easier for data to be transferred from European companies and institutions to their U.S. counterparts. This facilitated a smoother business relationship and enabled tech companies such as Google, Yahoo, and Apple to easily share data on their customers with their U.S.-based parent corporations.
However, the relative freedom the privacy shield gave to U.S. companies to process data under U.S. legal provisions has been revoked. Instead, U.S. companies that have previously used the privacy shield mechanism have now had to adopt standard EU GDPR contractual clauses to use the customer data of European citizens. Because the U.S. and EU have traditionally had polar opposite views regarding the requirement of consent to work with personal data, this development is important because it effectively forces U.S. companies to abide by much more stringent EU privacy laws.
California’s Response to the Removal of the Privacy Shield
In the U.S., California was the first state to respond to the changes in the GDPR by implementing modifications to its own legal system. The state introduced the California Privacy Rights Act (CPRA), which gives citizens of the state more data privacy rights. Under the CPRA, for example, a citizen can opt to deny consent to sell their private data to third parties. More U.S. states are considering introducing better privacy laws and there is even pressure on the U.S. federal government to introduce legislation.
All about Cookies
In the past, there were some unclear aspects in the GDPR regarding cookies and the consent users must give for its use. In the new iteration of the GDPR, EU lawmakers have made it clear that explicit permission is required from site visitors to install cookies on their computer(s). A visitor who simply browses through a website does not imply consent, consent must be given in an undisputed and clear way for it to be valid.
Shift Away from Third-Party Data Processing
In something not so much a change to the GDPR but an effect of the changes, IoT companies are shifting away from third-party data processors in favour of keeping things in-house. This is hardly a surprise considering the risks associated with sharing data outside of your company, especially when taking the joint controller clause and definition updates into consideration.
Implications of these Changes to Data Strategy
This set of changes was one of the biggest since the introduction of the GDPR and it has sent shockwaves through the privacy community. It seems that the EU commissions strategy to get companies to adopt the GDPR and enforce it is the threat of large financial fines in the event of non-compliance. Bearing this in mind, companies have scrambled to ensure compliance with the provisions of the GDPR.
An Overall Change in Data Strategy -- Privacy Comes First
The net result of the latest changes to the GDPR is that companies worldwide are now taking the legislation and its provisions much more seriously and view data as a strategic tool and risk that must be managed. European customers are enjoying a higher level of privacy than ever before, and it is inspiring other countries to adopt the same level of protection for their citizens.
The GDPR has been controversial since its introduction and that is not about to change. However, taking the potentially gigantic financial and reputational damages that can come from non-compliance into account, the latest updates to the act will likely have the effect of promoting compliance amongst more companies.
Milica Vojnic is an experienced senior marketing associate at Wisetek who specializes in ensuring businesses are GDPR-compliant. Vojnic is also the author of articles outlining these topics for a variety of online publications.