GDPR: Looking back and looking forward

It is now a year since the European General Data Protection Regulation (GDPR) became law. Just before the regulations came into effect, there was unprecedented talk and activity in organisations, and even media. Almost everyone was concerned about what will happen, and if they were compliant.

The more pragmatic said that the sun will rise as usual on May 25, 2018 and that businesses will continue to operate as they have in the past. These practical minded people were mostly right, unless you live in a place where it is mostly cloudy and rainy, or your company has been fined.

The experience of citizens in the EU

GDPR was drafted to ensure that EU citizens have more control over their personal data in an increasingly digital world. Over the past year, this has led to:

Mails: the mailbox of citizens has been flooded with mails that included:

1. A company has adapted their privacy statement.
2. The citizen had subscribed to company’s newsletter and the citizen must take affirmative action (called an opt-in) to continue to receive the newsletters.

In practice, very few people took the time to read these mails because there were so many. More importantly, the experience was overwhelming and most of us wondered “When did I subscribe to this company?”

Cookies on websites: another key experience has been that we saw a pop-up to accept cookies when visiting our favourite websites. Some of us even wondered what cookies were. In a few cases, the very essence of transparency, fairness and choice were breached as citizens did not even have any choice but to click accept.

Leveraged GDPR: while most of us were confronted with mails, privacy statements and cookies, some leveraged upon GDPR by using their rights. Here I can quote my personal example. A hotel I stayed in charged me extra after I had settled all bills at checkout time. Upon calling, I was told that this is decision of the accounts department and I must pay as I had stayed there. No amount of clarifications that bills were settled at checkout was helpful. In anguish, I went to their website, found the email of their data protection officer and sent an email to highlight that this was inappropriate use of my personal data, and I would like to exercise my rights for rectification and deletion. A reply came in less than four hours telling me that payment would be refunded, with an apology. In short, GDPR helps citizens if they chose to leverage it.

Organisations

We all know that there is no law with which we can be 100 per cent compliant, but there is always a reasonable compliance that can be achieved by an organisation. This statement becomes even more relevant in GDPR as it is a regulation that is based on accountability framework. So, around May 2018, most organisations could be bracketed into three categories i.e., being compliant with GDPR, working on compliance with GDPR and waiting for what happens in the market before taking action. Irrespective of the compliance situation in May 2018, over the last year all organisations have been busy with:

Responding to rights requests by customers: most organisations have been receiving rights requests from customers and have been busy in providing the right responses to address concerns.

Staying alert on personal data breaches: there has been an increased attention to personal data breaches. This has lead to organisations being more alert and also notified some of the data breaches towards the regulators.

Observing the market and improving compliance: organisations have been watchful of the actions by authorities and are refining their privacy practices in line with the new developments. More importantly, most organisations had a plan of actions post-May 2018, and the completion or progress on those actions has been primary focus of organisations in the last year.

Data protection authorities

The authorities have been busy getting the required budgets and hiring the staff to organise themselves in the GDPR era. This is now almost complete. Whilst the authorities were busy, data published by the European Data Protection Board (EDPB) suggests the following actions:

• More than 90,000 complaints were received by authorities across EU
• More than 60,000 personal data breach notifications were received. Important to note the actual number of data breaches will be far higher than 60,000 as not all personal data breaches need to be notified
• More than 250 cross border cases are being investigated

One of the most keenly debated topics and fears regarding EU GDPR was fines. In the last year, there have been some fines issued but the most significant was that handed to Google by the data protection authority in France: 50 million euros.

Looking forward

GDPR is already becoming more of a benchmark in privacy laws. Last year, there was an international conference of data protection authorities wherein more countries indicated their intention to introduce GDPR-like laws in their country. Already, Brazil, Japan and California state in US have passed new privacy laws. Also, India has a draft privacy law that should be finalised soon.

In short, one thing is certain: GDPR is here to stay.

With the changes in privacy and cookie statements past us, I do not see a new wave of bulk requests like last year. Of course, companies will finetune and adapt these in due course. And, with time, we shall see more awareness and usage of individual rights in years to come.

With most organisations having put the basics in place, I believe the following will be the focus for most organizations in coming years:

Automation: Key processes and tasks are likely to be automated because you cannot manage things through excel. This will see an evolution in privacy software with the better ones becoming the market leaders in this space.

Focus on all data: GDPR has made organisations aware of what data they have. While learning about this, they have discovered that there is huge amount of personal data that is outside their IT systems. This includes personal files, emails and data downloads in excel etc. In coming years, this will be an area that companies will focus on as they strengthen compliance.

Review of GDPR compliance of vendors: while the contractual compliance of vendor relationships has been completed by most organisations, there will be a growing focus on ascertaining if the vendors are GDPR complaint or not. I believe this will be an area that will see increased action.

In short, companies will strengthen their GDPR compliance and make sure they are more prepared for visits by authorities. Of course, actions by authorities on other companies will also drive proactive changes in GDPR compliance approaches.

Now that most authorities are becoming sufficiently staffed, we are more likely to see:

Audits: Authorities are most likely to be active in performing a few audits and finding out how complaint most organisations are. It is lkely that this will result in advice and observations.

Guidance on certification: Authorities will provide more guidance on certifications. GDPR had stated that there would be privacy certifications. So, far there is no visible action on this area. I believe that in coming years the authorities will provide guidance on what are the criteria for being certified. And, this shall lead us into a trend on certifications and seals on privacy being used by organizations to proactively demonstrate compliance with GDPR.

Increased cross border collaboration: While in the past, the authorities had national approaches, with GDPR and the collaboration in place through European Data Protection Supervisor and European Data Protection Board, there is likely to be even more cross border investigations in a collaborative manner.

Conclusions

These are early days for GDPR. Organisations will strengthen GDPR compliance actions and authorities will be more active. However, the biggest question is as follows. GDPR was brought in to bring accountability and responsible usage of data amongst organisations. At present, the way most companies have approached compliance with GDPR is that they have tried to fit their current activities into a legal puzzle named GDPR. Is this the right way? Or, will companies adapt their collection and processing of personal data in a more responsible way? Nobody knows if this change will happen. I sincerely believe that with time this change will happen. And, this will be the biggest benefit of GDPR in the long run.