GDPR – Six Months After the D-Day
Lehtisalo, Iiro (2018)
Haaga-Helia ammattikorkeakoulu
2018
All rights reserved
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2018112718374
https://urn.fi/URN:NBN:fi:amk-2018112718374
Tiivistelmä
The General Data Protection Regulation passed 2016 and the regulation was enforced on May 2018. The regulation aims to protect personal data, that are controlled and processed by companies and organisations.
Due to the Regulation, natural persons may request companies to provide all information they have regarding the data subject. Natural persons also request companies to correct the information, to withdraw their consent on using the data or to request to erase the data and forget them.
For companies the GDPR brought an obligation of accountability, reporting the security breaches, and possibility of sanctions. For natural persons the GDPR brought transparency on, how their personal information is controlled and processed by the companies.
The GDPR still evolves, because many EU member states are harmonising their legislation to comply with the Regulation. In Finland, the national law passed 13th November 2018. New ways of mass processing information, like Artificial Intelligence, need to consider the GDPR restrictions in their development.
My goal was to discover in what ways the GDPR has presented itself to companies and to natural persons. I reviewed the GDPR main concepts in the theoretical part of this thesis. I continue from theory to review the financial impact and first six months events after the enforcement. I interviewed data privacy experts to understand the company’s point of view on GDPR and to understand, what they have done to comply with the Regulation. Finally, I present self-probing results, where I have exercised my right to access my personal data the selected companies control and process.
The GDPR has been a tough project for companies. On average 12 to 18 months lasting, involving tens of people around the company and outside the company. The cost and the extent of the project has asked a lot of resources; thus, a lot of companies have seen the whole project as a nuisance.
Companies have not realised the size of the project fully, when engaging with their GDPR projects. This has led the focus solely on information systems and overwhelming hassle. Focus on information systems has diminished the focus on companies’ business processes.
Based on my self-experimental probing, the companies collect, and control data based on their business needs and comparison between the companies is difficult even, if the core business is the same.
Due to the Regulation, natural persons may request companies to provide all information they have regarding the data subject. Natural persons also request companies to correct the information, to withdraw their consent on using the data or to request to erase the data and forget them.
For companies the GDPR brought an obligation of accountability, reporting the security breaches, and possibility of sanctions. For natural persons the GDPR brought transparency on, how their personal information is controlled and processed by the companies.
The GDPR still evolves, because many EU member states are harmonising their legislation to comply with the Regulation. In Finland, the national law passed 13th November 2018. New ways of mass processing information, like Artificial Intelligence, need to consider the GDPR restrictions in their development.
My goal was to discover in what ways the GDPR has presented itself to companies and to natural persons. I reviewed the GDPR main concepts in the theoretical part of this thesis. I continue from theory to review the financial impact and first six months events after the enforcement. I interviewed data privacy experts to understand the company’s point of view on GDPR and to understand, what they have done to comply with the Regulation. Finally, I present self-probing results, where I have exercised my right to access my personal data the selected companies control and process.
The GDPR has been a tough project for companies. On average 12 to 18 months lasting, involving tens of people around the company and outside the company. The cost and the extent of the project has asked a lot of resources; thus, a lot of companies have seen the whole project as a nuisance.
Companies have not realised the size of the project fully, when engaging with their GDPR projects. This has led the focus solely on information systems and overwhelming hassle. Focus on information systems has diminished the focus on companies’ business processes.
Based on my self-experimental probing, the companies collect, and control data based on their business needs and comparison between the companies is difficult even, if the core business is the same.