Time flies and, although we remember the hard work of awareness and education before its entry into force and everything that meant that D-Day in 2018, it has already been five years since its implementation. Yes, weeks ago, at the end of May, we completed a year under the General Data Protection Regulation (GDPR).
How crazy those days became! The vast majority did not act until they saw the wolf's ears, as they say. On the contrary, there were few who arrived with their homework done. And not entirely, because the panorama of their development left some room for doubt that would not dissipate until the moment of their actual use and application.
Practice makes perfect, they say. Over time, we must agree that whether due to the threat of sanctions, the fear of being left out or strategic conviction, today the rule is generally complied with and is widely integrated into organizations. There are always regrettable exceptions, of course.
We can assure you that the GDPR has introduced significant advances in the field of personal data protection in the last five years that we have already naturalized. One of the most important, that of informed consent. Citizens are now much more aware and this forces data controllers to be stricter. We have become accustomed to demanding that consent be free, specific, informed and unambiguous, which gives people greater control over their data.
But not only with consent, these five years have strengthened the rights of individuals in relation to their personal data, which includes the right to access their data, correct it, delete it, restrict its processing and transfer it to another service provider. The other side of this coin is that this empowerment of people implies clear obligations for companies. They were not entirely new, but above all the GDPR emphasizes the requirement to implement appropriate security measures. And, being practical, with a very useful proposal such as carrying out data protection impact assessments in certain cases and notifying data breaches to the authorities and the affected individuals within a certain period.
Then there is the most media-friendly and eye-catching, the sanctions. Yes, they do not cease and they are increasingly large. Especially those of the big technology and telecommunications companies. A classic. The truth is that yes, there are fines, but before getting here, companies and organizations have had full autonomy to decide how to process personal data and be able to demonstrate, in any case, that they comply with the principles of data protection. It is a matter of will.
If we can take a positive view of these five years, it is that their impact on the protection of personal data has raised general awareness of privacy to very respectable levels. It is no longer enough to just pretend that no one knows.
