One of the most impactful and transformative regulations in privacy, the GDPR, recently marked its second anniversary. Since enforcement began in May of 2018, businesses both in Europe and worldwide have had to change the way they handle personal data and increased their focus on privacy branding.
On May 28th, Vicki Gulloit – Partner, Privacy Culture, Mary-Jo de Leeuw – Interim Program Manager Cybersecurity at The Dutch Railway, and Justine Vilain – Privacy and Legal Manager at DataGrail discussed their top takeaways from GDPR after its 2-year anniversary. In case you missed it, we’re bringing you the highlights. You can watch the full virtual panel here.
GDPR’s Impact on the Global Data Privacy Landscape
“The GDPR has helped to protect users and their data. Lawmakers aimed to give EU residents more control over their data and their efforts have since led to an impact on privacy regulation in many countries.”Mary-Jo
Mary-Jo noted that before the GDPR, there were very few regulations for data privacy, and those that did exist covered little and were scarcely enforced. In the past two years, the GDPR has led to hundreds of fines, some costing businesses millions. The largest sums include British Airways (£183.39m), Marriott International (£99m), and Google (£50m).
The GDPR differs from older regulations due to its broad reach, its focus on protecting individuals, and how it created standards for businesses to provide transparency. Additionally, the GDPR established Data Protection Authorities (DPAs), which are in place to supervise the application of the GDPR by auditing businesses, providing interpretation to the law, and handling violations and complaints. Beyond simply giving out fines, DPAs have changed the culture of privacy for businesses in Europe.
Justine added during the panel that the GDPR has had a reach far beyond Europe. It has inspired regulations in Argentina, Japan, Brazil, and multiple states in the U.S., most notably California. The CCPA comes into full effect July 1st, “granting individuals a lot of the rights such as access and deletion that came from the GDPR” Justine noted. The CPRA, though further out (2023), is even closer in line with the GDPR featuring greater protection and a full regulatory authority.
Change in Business Operations and Compliance
“Trust with customers has become essential, and privacy is now a large component in trust.”Justine
The GDPR has forced businesses to make necessary changes such as security updates, cookie banners, and such but businesses have also begun incorporating privacy branding. As trust with consumers becomes increasingly important, privacy branding and focus is necessary to compete in markets with privacy regulation or privacy-aware consumers. Justine shared that “People now expect privacy everywhere, and expect to be able to exercise it.” DataGrail’s 2020 Consumer Privacy Expectations Report revealed that 83% of consumers expect to have control over how businesses use their data, and 3 in 4 would boycott their favorite retailer if it failed to keep personal data safe.
Many businesses have also been required to appoint a Data Protection Officer (DPO) and increase resources for privacy. Privacy has become a trendy function and despite COVID-19 concerns, privacy jobs and hiring are staying strong as they remain critical to companies’ compliance and branding. Though hiring helps, Justine points out one big issue facing businesses: “Is it easy to delete the data though?”. Technology is one solution that companies are turning to. By automating the right to access and right to be forgotten, companies remove the intense manual labour involved in searching through every record and piece of data associated with one individual. Automation is the only way to handle the increasing amount of scrutiny around privacy over the next 12-18 months. 70% of DataGrail survey respondents reported that the systems they had put in place for the GDPR will not scale as new regulations emerge. Companies need to implement scalable solutions through technology in order to stay ahead on compliance.
Mary-Jo added that there “are still lots of unnecessary breaches under the GDPR, and security may not be higher than before”. A number of the large fines imposed by the DPAs have been for data breaches, and Mary-Jo said that while the GDPR may not have solved data breaches, users and EU residents are much more aware of the risks when companies collect data. Her biggest takeaway for businesses is that there is a new sense of accountability in Europe. Organizations are required to have standards, processes in place, rules, and documentation to prove that they are making an effort to protect users personal data and privacy.
Catch more topics with Justine and other leading legal, privacy, and security experts on the DataGrail Privacy Leaders Conversation series.