GDPR : Progress needed
The General Data Protection Regulation has been applicable since May 25, 2018 for all 28 territories of the European Union. Companies, organizations and associations are subject to this regulation when they use personal data. The purpose of this regulation is to reassure users and to avoid the misuse (violation) of personal data on the Internet. Heavy financial penalties (up to 4% of the turnover) are foreseen in the event of a breach. In one year of operation, what are the first assessments we can make ? What are the possible improvements ?
Why was the GDPR created ?
An exponential evolution of the market
89% of French people (all ages) report going at least once a day on the internet. The main activity is to search for information or to exchange messages. Social networks are always attracting more users, Facebook, the market leader, has 2.39 billion users worldwide, 42% of French have a Facebook account. This progress is also linked to a sharp rise in online commerce. It is estimated that the global turnover of e-commerce has tripled between 2010 and 2017. To access all these services, the user must enter his personal data. At this moment, the risks of disclosures, violations, misuses appear, companies collecting the data are in possession of a large amount of personal information.
Reassure and control
The GDPR was created with the primary objective of protecting the rights of individuals, including their rights to protect their data that they share or that are visible on the Internet. In a recent survey commissioned by the CNIL (National Computer and Freedom Commission) and conducted by the IFOP (French Institute of Public Opinion), 70% of French say they are sensitive to the issue of personal data. Internet users have less confidence when they surf the Internet, they feel tracked and spied on.
The RGPD has also been set up in order to control organizations which collect personal data and to supervise the collection. This requires a complete overhaul of the information system, they must make their system more transparent and alert within 72 hours maximum in case of data leakage. Paradoxically, this measure is rather well received by them because the GDPR promotes the trust of Internet users. Thus, an organization in compliance with the GDPR should see its traffic increase.
What is the current situation ?
The user asserts his rights
The implementation of the GDPR has greatly increased the number of complaints registered with the CNIL : about 34% more complaints, for nearly 1000 complaints during the year 2018 in France. At the European level, more than 95 000 complaints related to the GDPR are registered.
An unequal measure ?
Several very large companies took advantage of the GDPR to reassure their users. Some American companies like Facebook or Twitter even want a similar law to be set in the United States. The GDPR increases the trust of users that is very profitable to them. However, compliance requires many legal and technical fees that can significantly weaken the profitability of smaller structures.
Application of sanctions
Of the many complaints registered, few led to sanctions. Courts prefer to accompany structures to comply rather than punish them. The biggest fine is held by the US giant Google sentenced to a fine of 40 million euros for neglecting the transparency of personal data collected.
How can companies react ?
Digital technologies are changing day by day, companies invest significant budgets in research and development in this area. The European Commission can therefore follow the evolution of these tools and modify the regulations.
The Blockchain makes it possible to anonymize the data collected by the companies and to register them in a completely legal and reliable way on the system. There is no more risk for the data collecting organization as it is in compliance with the GDPR. There is also no risk for the user because his data is anonymous.
Identification of participants and minors : each participant / minor has a public key, which ensures the identification of the transmitter and the recipient of a transaction.
However, there may be additional data included in a transaction such as a diploma or title deed. If these data relate to physical persons, possibly other than the participants, directly or indirectly identifiable, these are personal data. On the basis of this distinction, the usual GDPR analysis grid applies : identification of the data controller, implementation of rights, implementation of appropriate safeguards, obligation of security….