- The General Data Protection Regulation (GDPR) turned three years old on May 25, 2021
- Although based on existing rules at the time of inception, GDPR’s implementation represented a huge shift in the law
- Non-compliance carried serious penalties – not only the fines but reputational too
- Although enforcement has not (yet) been at the levels expected, the threat of data breaches continues to grow as all of us conduct more and more of our lives online
- Enforcement to date has placed an emphasis on culture and the processes of data protection, not just on actual breaches
- Meeting GDPR obligations can be challenging and definitely not a “do once and forget” activity
- Notwithstanding other distractions (such as Covid), indications suggest that the focus is coming back on the completeness and effectiveness of Data Privacy mechanisms
The General Data Protection Regulation (GDPR) is now three years old.
Although very much based on rules that were already in force at the time, GDPR brought these often disparate rules together as a response to both the threats from growth in online activity and the need to better protect individual rights to their data. As a consolidated, focused work, it represented a huge shift in the law, that people took seriously. Non-compliance risked fines of up to €20 million, or 4 per cent of global annual turnover, and there was fear of potential impact to reputation too, keeping in mind the importance of data and the associated trust to handle it for most of today’s businesses.
Thinking back to the birth of GDPR, much like every new-born there was the pre-birth anticipation, the anxious wait, the birthing drama and finally the full-bloodied, triumphant, screaming emergence. And then what? Sleepless nights? Constant checks on development? Toddler tantrums as it sought to assert its personality? Well, not quite. While GDPR has changed the life of data privacy legislation, toddler tantrums have yet to occur.
In fact, in the UK, enforcement activity has been far less noisy than some had expected, with only four fines issued. The British Airways record fine of £20 million (for a breach affecting more than 400,000 customers) of course refocused attention. The fine could have been far larger, since the original intention was to levy a fine of £183 million. In Europe, a total of €272,500,000 in fines have been handed out since the GDPR became a requirement. In France the data protection authority CNIL fined Google Inc. €50,000,000, due to lack of transparency about their GDPR processes. In Germany, the Hamburg data protection authority fined the global retailer H&M €35.26 million because their legal reasons for storing data were not good enough. And in Italy, the data protection authority fined a telecommunications company (TIM) €27.8 million because of a lack of transparency.
Some of these fines were large – but not quite the 4% of annual turnover. So, when it comes to asserting itself, it seems that the GDPR regulators are still testing out their powers.
But this may be changing. Notwithstanding other distractions (such as Covid), indications suggest that the focus of GDPR is coming back to the completeness and effectiveness of Data Privacy mechanisms.
Like never before, most of us are conducting our lives online, both personal and work (given the pandemic restrictions and remote working). More than ever, there’s a growing appreciation of data as an asset to be protected, and for companies to transform the way they share, collect, and utilise data.
The rapid adoption of technology, and more specifically AI, which has flourished during Covid-19, creates further challenges. How do organisations ensure they adhere to regulations such as GDPR, and protect the rights and freedoms of individuals while protecting against biases if a robot processes streams of data for them? What if the AI learns to process the information more quickly but it doesn’t meet regulation? What then? Understanding data flows is key.
Applying GDPR can be challenging considering how different industry sectors use data and how reliant they are on it, the kinds of technology they use, or whether the data processing they are carrying out is low or high risk. Some of the concepts upon which the GDPR is based date back to the 1980s; and so not surprisingly, cloud usage and Big Data are not especially considered in it. Further, emerging technologies such as Internet of Things and blockchain can in some ways run counter to what the law is trying to achieve—minimizing data and enabling the right to be forgotten.
The cyber threat is real too: the number of data leaks caused by hacking, malware and phishing in 2020 increased by 30% compared to the previous year. In aggregate there have been more than 281,000 data breach notifications since the application of GDPR on 25 May 2018. For the period from 28 January 2020 to 27 January 2021 there were, on average, 331 breach notifications per day (a 19% increase) in Europe. Although these numbers are high, it can also be said that companies are taking the legislation seriously. According to a 2021 report by Cisco, corporate data privacy budgets doubled to an average of $2.4 million in 2020 as businesses raced to ensure that they stay on the right side of the GDPR. Not an insignificant amount to spend on a new arrival.
Breaches make the news. But the common denominator for enforcement however is that it has been poor practice that has landed organisations with large fines. What it highlights is the importance that regulators have placed on culture and processes of data protection overall and not just with a focus on mitigating a data breach. In many cases, the legislation has armed companies with helpful tools to protect themselves and their customers against data exploitation. However, ensuring GDPR compliance is not an area where companies can do the work once, put it in a drawer and forget about it. Rather businesses need to keep on top of changes and guidance and act to reduce the risk of fines, given the regulators’ evolving areas of focus.
There is a great deal of detailed work to do in order to maintain GDPR compliance. But on some level, a few overarching statements can help frame an approach include:
- Do you have a clear and complete view of the data held – what it is, where it sits, how it’s used?
- Do you have a clear and complete view about how data moves around the organisation, across interfaces, and to-and-from third parties?
- Do you have effective controls for system access, security and resilience?
- Do you have effective controls over data access and retention, and can you access and present data if needed?
- Do you have a robust data privacy risk framework, a data aware culture and a process of continuous improvement?
The detailed records of processing activities, carrying out impact assessments, developing with privacy by design in mind, managing change, and other practices are clearly important. However, ensuring data privacy remains front-of-mind for all staff is vital. And hard. Driving the cultural and behavioural shift needed is not easy. Training is often the only tool used. But that can be clunky, un-connected with the reality of people’s day jobs, too generic, and an annual exercise akin to watching a 10-minute video and scoring 75% across half-a-dozen questions. Three years on, there is still no regulatory certified (or approved) training course for GDPR. Globally, the International Association of Privacy Professionals is seen as the gold standard. But it doesn’t have approval from the regulator.
Post-Brexit, the provisions of the GDPR were incorporated into UK data protection law as the UK GDPR at the end of the transition period. Transfers of personal data between the UK and the EU are allowed under a set of temporary arrangements implemented at Brexit while the UK seeks a formal decision on the “adequacy” of its data protection rules to allow for continued free movement. The government has the ability to develop its own privacy regulation and ministers have made gentle noises to that effect. In a written statement to the House of Commons last year the prime minister stated that, “the UK will in future develop separate and independent policies” in areas that included data protection. More recently, the secretary of state for digital, culture, media and sport, spoke of a “sweet spot” of maintaining the strength of protection provided by the GDPR, but taking a less European approach.
But most commentators suggest that the government will be reluctant to diverge too greatly from the GDPR for fear of harming international business and trade. Any divergence would create huge challenges for global organisations. Already the patchwork of approaches to GDPR in Europe (and elsewhere) means that some feel that there is a complete lack of predictable methodology or consistency to how fines are applied, which appears at odds with the harmonisation the GDPR was expected to bring.
Already the one-stop shop mechanism that is intended to ensure all global regulators apply the law equally is not considered to be effective. There are concerns that the lack of consistency enables arbitrage, where companies set up in jurisdictions thought likely to impose lighter sanctions. And this variety of regimes causes a large administration burden. But the cross-geography complexity should not suggest that establishing an effective mechanism is in the “too difficult to do box”. Far from it, if anything it should promote activity to define and embed uniform global standards, reducing the admin burden and leveraging economies of scale and best practice.
There is no doubt that data privacy remains an important and growing threat. During the first three years of GDPR, enforcement has not been at the levels expected, but enforcement to date has placed an emphasis on culture and processes of data protection overall and not just on actual breaches. Meeting GDPR compliance can be challenging, and it definitely is not a “do once and forget” activity. Notwithstanding other distractions (such as Covid), indications suggest that the focus is coming back on the completeness and effectiveness of Data Privacy mechanisms. Ensuring that privacy mechanisms are well-designed, embedded and operating effectively seems to be high on most organisations to-do lists.