GDPR – Three years and counting
Howard Freeman, MD at Fortis DPC Ltd discusses the road ahead for businesses after three years of GDPR.
The UK Government has made it clear that they want Britain to be a place where companies can transact digital business. GDPR will be a vital component of the strategy. On leaving the European Union, a new law came into force that contains the EU GDPR, the PECR (Privacy and Electronic Communications Regulation (2003)) and the Data Protection Act of 2018. This is now better knowns as the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
Regulators are taking external factors into account and adjusting accordingly, namely the pandemic. However, this is only where applicable. What organisations cannot rely on are affected individuals being as forgiving. With group actions and the GDPR allowing individuals to make claims for their data being breached, there is a very real possibility that these will hit organisations harder than regulatory fines.
In 2021 and with the end of the pandemic looming, now is the time for organisations to learn the lessons from others who have fallen foul of the GDPR to date. Therefore, focusing on data protection practices and making compliance a habit goes a long way in avoiding the full ramifications of a data breach.
The GDPR dust settled throughout 2018 and the needs of business’ data processing became clearer. Fake news around the GDPR has not helped with rumours and misinformation distracting business leaders away from the real requirements. Many thought they were exempt and without really checking, did nothing whatsoever. The GDPR does address the needs of individuals who have the right to have their data protected and not sold or abused. In the case of the latter, the purpose limitation principle has been excellent though often ignored by many businesses.
An area of the GDPR often abused is the Data Subject Access Request right.. They may be being difficult for the sake of it or trying to use the right instead of open disclosure for legal cases. The disappointment has been the ICO being overly keen to support individuals in this case. Business has the right to refuse a DSAR and the ICO should support this.
The top five breaches include Google, H&M, TIM Telecom, British Airways and Marriott Group. Two of the were actual data breaches. The other three were not. These were due to poor practice. Therefore, you might ask, why were they fined? Regulators are focussing on culture, not just data breaches. However, in all cases it was clear that the businesses concerned were all guilty of poor processes and a non data safe culture.
Still a work in progress
Alja Poler De Zwart, Partner at Morrison & Foerster spoke to Business Leader about the current state of the industry.
The EU’s General Data Protection Regulation (GDPR) was the long-awaited step of the European legislators, backed by the European privacy regulators and advocates, to protect individuals’ privacy in an attempt to give them more rights and control over their own data. The GDPR was a game-changer not only by trying to harmonize the privacy rules as much as possible across the EU, but also impose stricter requirements on organizations and keep up with the new times and technology developments.
The GDPR was necessary considering that the GDPR’s predecessor, the Data Protection Directive, was adopted in 1995, thus pre-technology, pre-Internet and pre-social media as we know them now. Its profound impact is being felt more each passing year with high-profile fines being handed down and other jurisdictions following suit with similar legislation – the General Data Protection Law (GDPL) in Brazil and the California Consumer Privacy Act are just two examples. While the GDPR has been transformative in many ways, its interpretation and enforcement are still work in progress. The European regulators will need to ensure that their guidance, opinions and enforcement decisions align with the spirit of the GDPR and do not result in too great of a fragmentation and deviation of rules per country.
The legal perspective
Mark Taylor and Ashley Hurst, partners at law firm Osborne Clarke expanded on this.
The European Union launched the General Data Protection Regulation (GDPR) three years ago this week. Much has been achieved but many of the most complex data challenges remain.
The main aims of the GDPR were to empower people to help them to gain more control over their personal data and to provide companies with one set of rules to improve data security throughout the EU.
In that time, 661 known GDPR fines totalling €292 million were issued across the EU with Spain issuing the most at 222, followed by Italy with 73.
At Osborne Clarke, we have handled over 200 data and cyber incidents internationally since the GDPR came into force, approximately 70 per cent of which have been notified to data regulators. Increased transparency has led to a substantial increase in both regulatory engagement and post-breach litigation. But it is perhaps the cultural change brought about by the GDPR that has been the most interesting trend to observe.
We are seeing a tangible shift in how GDPR compliance is perceived, from being part of the corporate compliance regime to being a commercial and reputational differentiator.
Every business has had to think about GDPR over the last few years – however, not all businesses think about it in the same way. It’s more efficient and less disruptive to take a “compliance by design” approach than to retrofit GDPR compliance. In turn, data privacy is becoming part of the corporate mindset for many businesses. Across all sectors, we’ve seen our clients start to embrace the opportunity and potential competitive advantage from being perceived by customers and consumers as a “privacy first” business.
One of the marks of the success of the GDPR is its influence on the current wave of digital regulation coming out of Europe. The same basic set-up of a framework of regulatory obligations, plus national enforcement infrastructure, plus – the real GDPR differentiator – potentially eye-watering fines, is now coming down the track for consumer law, online harms, data governance, Artificial Intelligence (AI) regulation, to name a few. Having seen how GDPR compliance can start to power advantage, businesses may see these new regimes as more than just additional regulatory cost and risk.
Now that the foundational compliance regime is in place and being replicated across the world, the more exciting challenge of exploiting data to achieve business and societal challenges, such as decarbonisation, can proceed with more certainty.
In terms of what to expect in the next three years, complex challenges still to be tackled include how the GDPR applies to some of the AI solutions being developed and rolled out, how businesses will store and transfer personal data to get around adequacy concerns resulting from the infamous Schrems case, how the adtech ecosystem will adapt to create a sustainable operating model, and how data privacy rights will be reconciled with freedom of expression as part of the increased regulation of online safety.
For the post-Brexit UK, there’s no sign of any radical departure from the legacy GDPR approach for UK data privacy. Data has been identified as a priority in international trade agreements, and we’re expecting announcements soon from DCMS about the countries beyond the EU with which it will prioritise reaching data adequacy agreements so as to facilitate international data flows for UK based businesses.