What does General Data Protection Regulation actually achieve?

Ok so GDPR it a regulation.
Regulations don’t actually do anything.

Why the question?

With many well documented hacks occurring recently I’m seeing many comments claiming … if GDPR had implemented then the data wouldn’t have been exposed.

To me that’s utter diatribe as a regulation is not a protection against anything.

From someone who doesn’t reside or do business where GDPR legally applies what does it actually DO to protect my data from being accessible when the business system is hacked?

It does not protect your data, it only allows people and governments to sue corporations who abuse it. There have been some good moves overall when it comes to privacy because of the GDPR, for example the rulings against Google Analytics and Google Fonts. However, the theory behind the commentators statements is that if GDPR was universal, companies would be incentivized to collect less data in the first place, and therefore there would be less data to leak. This may be true in some cases, and it may not be, we know that companies aren’t exactly the greatest rule-followers.

tl;dr: You need encryption to personally protect yourself, you need regulation to see broader societal change.


As I figured and thanks :pray:

My Observation FWIW

The majority of successful cyber-attacks start with a failure to identify a fake email or SMS and responding to the fake links. The end result being sharing login information or passwords or a careless document download.

It only takes one compromised link in the chain to breach the chain and allow an unauthorised money transfer or access to sensitive documents.

Whether it is teenagers looking for an open door or sophisticated foreign criminals, the majority of breaches have one critical aspect HUMAN ERROR.

In essence technology or regulation alone cannot stop human error, as people make assumptions regarding SMS and email communications all too often.

Regulation, software and insurance isn’t a silver bullet

Here you’re talking more about hacks.
GDPR is more about disincentivizing companies to hoard mass personal data without clear purpose and adequate protection.

I won’t cite every rulings the french CNIL has made to enforce GDPR, but I will say that specifically in France we can see (really slowly I’ll admit) these effects:

  • websites and apps have added cookies/tracking consent banners (but in a “accept/customize my choices” style)
  • then websites and apps have added a “continue without accepting” button in cookies consent banners (but formated as link and in small in the upper corner)
  • currently websites and apps are changing these cookies consent banners to have only accept/deny buttons
  • as @jonah said more and more websites are removing Google fonts, ReCaptcha, replacing google Analytics and other US tracking services by alternative less invasive
  • now it’s very rare to find a newsletter/marketing check box in a account creation form that is opt-out instead of opt-in
  • it’s very rare to find a company that is sending you a new password by mail without it being being temporary or forcing you to change it on connect. Or rare to have a company send you your previous password (meaning it was stored in clear text)
  • most company have now a deletion policy for expired data (account unused after x time, old client data and files)
  • big tech are allocating a non insignificant part of their revenues to pay future GDPR fines while trying to be proactive at avoiding the next one
  • Facebook/Instagram will now be forced to add (like everyone else) a cookies consent banner for targeted advertising

Nothing is completely shiny and perfect. Some European GDPR bodies are faster/fairer/better than others. The french one is slowwwww, the Ireland one is very lax on the fine amounts to big tech…
And there is limits to the GDPR: the french CNIL has sent several fines to Clearview AI but still no paiement, no communication, no change in policies, and for now the CNIL has no means to enforce this.

But fines are raining like crazy so every industry playing the PR game is frantically trying to guess the next GDPR move to start changing their own policies ASAP.
That’s what I saw in every client I was involved with since I’ve been in the IT industry.

There is this video from TechAlter about what GDPR went wrong and its flaws
link: Where GDPR went wrong - YouTube

3 posts were split to a new topic: How do you know if your data is fully deleted by companies (including backups)?