Thomas Kuhn, an eminent American philosopher and historian of science, explained in substance in his book "The Structure of Scientific Revolutions" that when a standard reports anomalies and these anomalies become important, he then induces that the standard must be called into question, and that a new standard becomes necessary.
It is from this paradigm that the General Data Protection Regulation (GDPR) originates. With an increasing volume of data, incidents that have increased in recent years and a globalized flow of personal information, the implementation of a new data protection framework was becoming inevitable.
Transparency, accountability and traceability are the keys to the DGMP: organisations collecting personal data will now have to put in place measures to ensure the security, portability, integrity and traceability of European citizens' data.
At a time when the first sanctions are being imposed, it is necessary for organizations to become aware of the importance of the personal data they collect, and thus comply. Given the exponential volume of personal information that passes through, this paradigm could evolve in the very short term.
Expertise and investment
While the GDPR has had to be applied to organizations since May 25, many organizations, particularly start-ups, small and medium-sized organizations, still have questions and delays in their compliance mechanisms due to lack of resources or time.
Indeed, they understand the objective pursued by this new regulation and the necessary harmonisation at European level of the personal data protection framework. But, to answer it and possibly consider it as an opportunity, they often have only two ways: to allocate time internally to research or to call on external support.
In both cases, this requires expertise and an investment in time and resources that can be significant, which they cannot always afford, being a driver through the development of their business, and not necessarily having the resources of a large organization. As a result, many still struggle to keep pace with the legislator's timetable.
And yet, beyond the sanctions provided for by the regulatory authority in the event of failure to comply with these new obligations, the GDPR remains only a first step towards tighter control of the data, personal or not, that they collect.
The sooner they adopt the right methods and reflexes for handling the data they collect, the better prepared they will be to deal with future legislation such as the ePrivacy directive (which deals with prior consent and geolocation in particular).
If the GDPR only concerns natural persons, tomorrow it should logically extend to legal persons. It would seem logical that in the future, the data protection framework will evolve towards more technological forms.
Badis Matallah, Strategic Advisor Inferensia