Suppose the EU Commission intends to live up to its digital ambitions as a ‘world-class data hub’ and reinforce its position as a global leader in data privacy and protection legislation. In that case, it must balance the legislation on data privacy to digitisation and trade on several GDPR components like international data transfers, data sharing, revising the data adequacy arrangements, removing human review from automated decisions, increase the number of lawful bases for processing sensitive data to fit the digitisation and data transformation options in the fast world of 5G.

Data as the new black can boost productivity, innovation and growth and encourage competition
GDPR revisions could allow automated decision-making by removing the human review from algorithmic decisions. Businesses can instead document how decisions are made rather than detailing complex information about their systems and logic.

The overwhelming conclusion is that no recent global piece of legislation has had quite the same impact or level of interest the General Data Protection Regulation (GDPR) has had in the three years since it came into force. We have to go way back to mid-2000 when there was a similar frenzy on the Sarbanes Oxley or SOX legislation.

GDPR is at the forefront of corporate compliance concerns
The GDPR has multiple global at the time of implementation daring due to the legislation’s multi-jurisdiction (over) reach. However, this global implementation has set the benchmark for organisations to ensure data protection and respect peoples’ privacy three years later. In addition, the even livelier provisions on how to penalise wrongdoing with exorbitant fines of up to 2 or 4 per cent of a company’s global turnover.

Therefore, even though the jury is still out, a preliminary conclusion can be that GDPR has globalised and harmonised the global regulatory enforcement and data protection practices as most large countries (and now even the USA) has identical legislation. Many global components illustrate how well the GDPR works in practice for the majority of cases. However, there are a few flaws that need to be addressed.

Different EU and global countries and cultures have different enforcement appetites and approaches, cross-border collaboration, data protection authorities, and the resources necessary to implement international legislation effectively.

The EU oversight lead, Mr Wiewiórowski, has also expressed a “danger” that a lack of consensus in the decision-making process could lead to DPAs “disowning decisions they don’t like”. In contrast, the lead supervisory authority is forced to uphold a decision with which it disagrees.

One-stop-shop is “not practical.”
Due to the enforcement and oversight dissimilarities, some companies question whether the regulation—and the way it is regulated—is fit for purpose, which can lead to problems understanding case law.

The goal is that the one-stop shop enables DPAs to give feedback over time, leading to the improvement of the final decision so that the regulators can work toward a common understanding of joint GDPR enforcement.

The one-stop-shop mechanism requires collaboration and resources for quicker and more effective decision-making. Furthermore, it is streamlined with a mechanism within the GDPR to adopt DPA decisions instead of taking its own decision based on its investigation.

Data knows no boundaries
Another claim is that GDPR as a regulation has failed to achieve what it was supposed to; it has led to massive bureaucracy and compliance costs; severely hampers Europe’s digital transformation, and needs an urgent overhaul.

Another conceptual flaw is the “one-size-fits-all” approach, which makes no distinction about the size of the organisation processing data, what it is using that data for, or its ability to comply. The regulation further fails to acknowledge that different industry sectors use data and how reliant they are on technology for data processing based on low or high risks, cloud usage, Big Data, Internet of Things, and blockchain due to data minimisation right to be forgotten.

Resolve the 20-year conflict over how to transmit transatlantic data flows
Consent mechanisms are impractical and criticised as the inflexible rules limit how companies can develop artificial intelligence (AI) blockchain, big data and data transformation systems.

Another option is to replace the conditions with a legalistic version of consent by introducing legitimacy data processing benefits society, often bypassing user input.

Article 5 and Article 22 of GDPR pose constraints that limit the execution of the new AI systems with barriers on organisations to collect new data and reusing existing personal data for other purposes that could enhance innovation as data is the new black.