The European Union has a 'Charter of Fundamental Rights'. One right, is the right to Data Protection. The General Data Protection Regulation protects those rights (not just privacy) when personal data is processed (Article 1).
There are 6 principles for handling personal data and 1 principle for accountability (being able to demonstrate the 6 others). They tell what organisations must do before, during and after processing. Without lawful basis, personal data cannot be processed.
Depending on the purpose and lawful basis of processing (article 6), your data needs to be provided to a 'controller' for them to start processing. Transparency Notices (it's what 'privacy notices' should actually be called) will help understand how personal data is used, but remember a lot have been written without proper knowledge of processing within the business. So, sometimes, a transparency notice may say one thing when reality is different.
There are also rights applicable to you, as an individual and your data. Some, all the time, some, when they can be. A law requirement may not give you much choice.
Consent, is only one in six lawful basis for processing. For many small and medium businesses who don't do online marketing, justification for a lawful basis of processing isn't complicated.
Personal data is meant to be safe in the EU, since all organisations are meant to be compliant with the GDPR. Personal data may be sent outside the EU. The European Commission has set a number of countries where your data should be as safe as in the EU. Reality is that it isn't the case when you see countries in that list that kill journalists and do mass surveillance to a level you can't imagine. For data controllers, it is important to understand that such adequacy may not last forever, and that there is therefore a risk associated.
Do you control your data? In theory, you have more control. In reality, it isn't the case. It can be costly and enforcement may be limited depending on Regulators.
Data protection officers (DPO) are important people who are supposed to advise those who control data (controllers) when they process personal data so they implement safeguards so processing don't impact people's fundamental rights. DPO must act independently and can be external to the organisation.
As a regulation, it should harmonise personal data processing across the EU. Sadly, not all Member States have read the legislation the same way nor Regulators have the same budget and same will to enforce. Not forgetting the like of Article 23 give Member States different rights.
Bigtech companies don't like regulations and rules. They lobby a lot, and some can feel sad to see big names with long careers in public services to assist them getting away with unlawful processing.
There is a danger in softening GDPR at EU level. Envisaged simplication looks they would be benefiting Bigtech. For others, it will probably lead to more data breaches as it is difficult to secure the unknown.
While I am at it, cookies aren't GDPR. The e-Privacy directive and its Member States implementations (SI 336 of 2011 in Ireland) dictate the need for cookie consent. Only the means to obtain consent for cookies needs to be aligned to GDPR consent requirements. Cookies are not the only things in scope of consent in the e-Privacy context.
Tools to assist compliance can help bringing KPIs and saving time. Of course, I can highly recommed www.bizoneo.eu. It is feature rich, mature, developed and hosted in the EU. It also helps for NIS/2 DORA CyberSecurity ISO27001 and a lot more.
Claude Saulnier
B-Eng - CDPO - CFRCP - CIPP/E
Data Protection SME & Product Manager Bizoneo
Post Scriptum (PS):