Navigating the nexus of EU Policy, Digital Technologies, and Futures (S1/E2)

S1/E2: The General Data Protection Regulation of the European Union – It’s good to be a EU citizen

You certainly still remember Max, the software developer friend of mine, who, in the previous episode, had a hard issue with GDPR – the European Union’s General Data Protection Regulation. As we saw there, the GDPR was probably the first European legislation to have a big impact on the software industry, or to be more precise, on any industry that uses software, and this worldwide.

The current regulation is indeed very restrictive and imposes hefty fines to those who do not comply. It not only thoroughly protects personal data, but also forces cybersecurity upon users of software that deals with such data. Therefore, I thought that those from the SWForum.eu community that still do not know much about the GDPR would gain from being aware of its main points, which are as follows.

GDPR 101

The regulation is designed to give EU citizens more control over their personal data – be it in electronic or non-electronic format, although in this text the focus is solely on data that is stored in electronic format – and how it is used, and it has far-reaching implications for companies of all sizes that use software to process such data, from small start-ups to large enterprise organisations.

One of the main ways that the GDPR has affected the digital economy is by increasing the importance of data privacy and security. Under the regulation, companies are required to implement measures to protect the personal data of EU citizens from unauthorized access, use, and disclosure. This includes implementing robust security protocols, such as encryption and multi-factor authentication, and regularly monitoring and testing their systems for vulnerabilities.

Another key aspect of the GDPR is the requirement for companies to be transparent about how they collect, use, and store personal data. This includes providing clear and concise privacy notices to individuals and obtaining explicit consent for the collection and use of their personal data. A large portion of companies that use software to deal with personal data must also appoint a Data Protection Officer (DPO) who is responsible for ensuring compliance with the GDPR.

The GDPR also gives EU citizens the right to access, correct, and delete their personal data, and to request that it be transferred to another organization. This means that firms that use software for data processing must have mechanisms in place to quickly and accurately respond to these requests, and to ensure that they are able to provide the requested data in a format that is easily readable and transferable.

Actually, one of the biggest nightmares for companies under the GDPR is the risk of penalties for non-compliance. The regulation includes significant fines for organizations that fail to meet its requirements, with penalties of up to 4% of annual global turnover or €20 million (whichever is greater!). This is why Max’s employer had to invest heavily in compliance measures and training: to reduce the risk of such penalties.

The GDPR also has implications for international companies that operate software in the EU. These companies are required to comply with the regulation regardless of where they are based, and must appoint a representative in the EU if they do not have a physical presence here. This has led to a number of companies opening offices in EU countries or appointing local representatives to ensure compliance.

As explained in Episode 1, there was plenty of time for anyone to get acquainted with the nascent GDPR, since it was proposed by the EC in 2012 and took a little over four years to be published and enter into force, with two more years to be implemented by the Member States and the EU.

If you are curious to understand why it took so long to reach an agreement on the GDPR text, and what kind of measures were introduced during the negotiations, you may wish to tune to S1/E3 in a couple of weeks. There, I intend as well to briefly explore non-personal data protection in recent EU policy and legislation, which can also be of interest to our community here at SWForum.eu.

If you managed to read all up until this point, I think it was worth your time and interest. Now I hope you can understand why the GDPR is a true game-changer, for big (4%) and small (20M€) companies alike. Whichever is greater!

Talk to you soon. Stay tuned.

(If you have time - and interest - you may wish to watch the inaugural class that I gave earlier this month (March 2023) at the Computer Sciences Graduate Programme of the University of São Paulo, Brazil. There I address topics similar to the ones in this series. The talk is in Portuguese, the slides are in English.)


[This blog series is inspired by research work that is or was partially supported by the European research projects CyberSec4Europe (H2020 GA 830929), LeADS (H2020 GA 956562), and DUCA (Horizon Europe GA 101086308), and the CNRS International Research Network EU-CHECK.]


Afonso Ferreira

CNRS - France

Digital Skippers Europe (DS-Europe)