An interesting article in today's FT on the need to update the GDPR will not be welcomed by those that toiled with compliance programmes, policy updates and the preparation of records of processing less than three years ago.
It is reported that German MEP Axel Voss, a driving force behind the GDPR, recognises that the GDPR is not sufficiently nuanced for some of today's challenges including blockchain, facial or voice recognition, text and data mining. The COVID pandemic and the shift to remote working have also created unexpected issues, including the technical challenges of compliance by organisations with a remote workforce using software that authenticates them for a host of services with a single login or monitors what they do online.
The opposing position is that despite advances in technology the GDPR remains fit for purpose, as it was never meant to address every possible scenario (something many engaged in clinical research and studies may agree with!). As the most commented on piece of European legislation, with drafting taking almost five years, the GDPR does strike a balance reflecting input from stakeholders in many different public and private roles and across many industries, as Sophie in ’t Veld, a Dutch MEP, commented the "GDPR is also a very general piece of legislation that leaves lots of flexibility for implementation."
As we approach the third anniversary of the GDPR's implementation perhaps instead of looking to update it we should be giving regulators more time to evolve the legislation through enforcement.
A considered consensual and pragmatic approach to enforcement, focusing and, where necessary, punishing non-compliance in areas of concern while not over-blowing technical infractions would be a great start in achieving the aims of the GDPR and protecting the fundamental rights of individuals.
If done correctly positive enforcement of the GDPR could avoid the upheaval of replacing it and a repeat of 2018 GDPR-armageddon. This, I am sure, would be a great relief to many DPO's, GC's and compliance officers.
We have to be aware that GDPR is not made for blockchain, facial or voice recognition, text and data mining [ . . . ] artificial intelligence,