Home Insight Insight Category: Privacy

Privacy

Briefing

The European Commission’s General Data Protection Regulation (GDPR) Evaluation Report of June 2020, declares the GDPR a success. However, it concedes that there is still more work to do. The EU is proud that the law is now a reference point and a catalyst for many countries around the world to modernise their data protection rules. Businesses, including SMEs, can comply with unified rules on a more level playing field. The general level of GDPR awareness among European citizens stands at between 69% and 71%. Conversely, 30% of EU citizens are not sufficiently engaged with data protection.  This is a concern in an increasingly data-driven and artificial intelligence led future.  The EU boasts that GDPR is future-proof and provides important and flexible tools to ensure data protection / privacy by design and security by design as new technologies develop.

The Challenges

Since May 2018, there have been challenges to the uniform application of GDPR at EU level and in each EU country:

  • Between May 2018 and November 2019, 22 EU/EEA GDPR regulators issued 785 fines. However, most fines have been relatively modest and were mainly issued against the public sector and small companies.
  • The handling of cross-border cases has not been as efficient or cohesive as intended.  Differences persists in national administrative and court procedures, varying interpretations of key GDPR concepts and how and when to activate cooperation procedures.
  • Slovenia has not yet enacted new GDPR laws or updated older data protection laws and so is a weak link in EU-wide compliance.
  • Ireland and Luxembourg which hosts large global company headquarters have not received sufficient national funding and resources to meet their significant GDPR regulatory responsibilities.
  • The EU’s GDPR regulators acting as the European Data Protection Board (EDPB) mutually assist each other, but the consistency mechanism’s key dispute resolution and urgency procedures have not yet been used.

Priorities and Actions

EU institutions, GDPR regulators and national governments have been tasked with the following actions:

  • National governments should ensure that national laws and sector rules, are fully in line with the GDPR.
  • National governments should provide GDPR regulators with the necessary human, financial and technical resources to properly enforce the data protection rules and liaise with stakeholders, citizens and SMEs.
  • GDPR regulators should develop efficient working arrangements and increase the functioning of the cooperation and consistency mechanisms.
  • GDPR regulators should closely monitor how GDPR applies to new technologies such as Artificial Intelligence, Internet of Things, Blockchain, scientific research and other technologies and the EDPB will issue guidance on these topics.
  • The European Commission should continue to promote the convergence of data protection rules to ensure safe international data flows. This could include new or updated data protection laws or adopting the Data Free Flow with Trust (DFFT) concept internationally.
  • The European Commission should continue data protection adequacy discussions with non EU/EEA third-countries.
  • The European Commission will modernise and expand international data transfer mechanisms by updating the EU’s data protection Standard Contractual Clauses (SCCs) and certification mechanisms.
  • The EDPB will clarify the procedural steps to improve cooperation between the lead data protection authority and the other GDPR regulators involved in shared activities.
  • The EDPB will streamline the assessment and approval processes for Binding Corporate Rules (BCRs) to speed up the process.
  • The EDPB will complete work on the architecture, procedures and assessment criteria for codes of conduct and certification mechanisms as tools for international data transfers.

The Future

The EU believes that the GDPR’s future-proof and technology-neutral approach was tested by the Coronavirus Covid-19 pandemic and has proven to be successful. GDPR principles provided a useful framework to support the development of tools to combat and monitor the spread of the virus. This future-proof and risk-based approach will apply to the EU’s framework for Artificial Intelligence and the European Data Strategy. The overall aim is that GDPR becomes fully incorporated into the EU’s digital policy, data governance, data ethics, digital transformation, cybersecurity and pandemic recovery plans and initiatives. The EU’s strategy is also international, including engagement with African and Asian partners and inter-governmental bodies to promote regulatory convergence and support capacity-building within data protection regulators globally. There is also a plan to promote greater international enforcement cooperation between data privacy regulators, including signing cooperation and mutual assistance agreements.

The California Consumer Privacy Act 2018, or CCPA, took effect on 1 January 2020. The CCPA protects the rights of California consumers and gives them new data privacy and online rights. These new privacy rights include the right to know what information is held and used, the right to delete personal information, the right to opt-out of the sale of personal information (called “Do Not Sell”) and the protection from discrimination for individuals who exercise their CCPA rights. The California Attorney General is the CCPA regulator. Regulator enforcement beings on 1 July 2020. California is the world’s fifth largest economy and is home to some of the world’s most innovative companies and discerning consumers.

  1. How can we plan for CCPA enforcement, during Covid-19?

The regulator, the California Attorney General can enforce the CCPA after 1 July 2020 but can look back to January 1, 2020 when making enforcement decisions. The coronavirus covid-19 pandemic period is included. Companies and organisations need to document their pre Covid-19 CCPA compliance steps as well as the changes made to these compliance programmes by the impact of Covid-19.

  1. How important are data flow mapping and personal information inventories?

Data flow mapping and the creation of personal information inventories are key to CCPA compliance. There are many ways to create these and work from General Data Protection Regulation (GDPR) compliance activities can help. As part of this process, the approach taken by key suppliers, such as making CCPA rights available to all citizens across the USA or worldwide, will impact your company’s or organisation’s risk profile.

  1. What are the key areas we should spend time on at this stage?

The CCPA, like similar laws, places consumers and users personal information at the centre of data governance. Companies and organisations should focus on consumer touch points including privacy policies, consumer notices, consumer opt-out mechanisms, terms of service and data subject rights processes. It is very important that companies and organisations put in place and test their identity verification processes. For App-only companies and organisations or those with a lot of App-based customers, developing just-in-time consent notification solutions is a CCPA requirement that can lead to real and lasting consumer innovations.

  1. What should be our approach to CCPA and cybersecurity?

Where there is change, uncertainty or fear, cybercrime and cybersecurity incidents rise. CCPA requires substantial changes to data governance and data flows, which is significantly affected by the impact of coronavirus covid-19. Companies and organisations should strengthen their information security defences to reduce the impact of phishing attacks, impersonation, fraudulent CCPA applications and social engineering that uses the CCPA as a trigger.

  1. What are the steps to take to prepare for the next stages of privacy changes in California?

The California Attorney General will publish the finalised CCPA enforcement regulations in the coming weeks for agreement. Federal and California state-level coronavirus covid-19 rules will impact consumers across a range of sectors affected by CCPA. There are plans to submit a new California Privacy Rights Act (CPRA) into the November 2020 ballot to extend the scope of CCPA. Companies and organisations should avoid CCPA programme mission creep, especially as the global economy cools. Speculative or draft privacy changes should be monitored and assessed, but not confuse or detract from core CCPA compliance.

Further Information:

PrivacySolved Briefing: Five Key Things to Know about California Consumer Privacy Act (CCPA)

California Attorney General CCPA Resources

Californians for Consumer Privacy CPRA Resources

For Enquiries:

contact@privacysolved.com

Briefing

The Covid-19 pandemic introduces new and varied data threats, risks and data ethics challenges. There is no ideal playbook to respond fully to these concerns. Risk anticipation, risk identification, risk analysis, risk response and risk mitigation are now centre stage in corporate data governance. Coronavirus has rudely interrupted settled risk appetites in data protection, General Data Protection Regulation (GDPR) compliance, global data privacy and cybersecurity. Focussing on the highest risks is crucial. These high risk impacts include the proliferation of covid-19 contact tracing applications (Apps) and the rapid rise of cybercrime, hacking, scammers and cybersecurity incidents.  There are now significant encroachments on employee privacy because of teleworking and working from home. The impact of the enforcement of new data privacy laws and the need to avoid future regulatory scrutiny are all high risk concerns.

Contact Tracing Apps and Covid-19 Technologies

The pandemic is a data-intensive medical emergency. To reduce the spread of the virus, rigorous testing, manual tracing and contact tracing Apps have been identified as the best ways to combat the disease. Contact tracing Apps in China and South Korea often require a lot of personal data, track users, send notifications to the government and make automated decisions about whether a person should remain in quarantine or be allowed to work. Other solutions have focused on Privacy by Design and have invested in privacy-enhancing technologies. Australia launched an App that put the user in change of the data collected and how these are shared. Researchers at the Massachusetts Institute of Technology, Stanford, McGill, University College London,  Oxford University and elsewhere are pioneering the use of bluetooth technology, cryptography and minimum-data models. Google and Apple are working with NHSX, the digital arm of the UK’s National Health Service to launch a contact tracing App. Amid the innovation, key data ethics questions must be answered by all stakeholders. Who will be the data controller? Who will receive and store the personal data? Are privacy by design, data minimisation and security by design principles built into the technology? Will law enforcement have access to the health or other data? Will data be deleted, anonymised, pseudonymised or destroyed after a set period? What is the extent of geolocation tracking? Is the app compulsory? Are users given the opportunity to consent? Will data on the App be encrypted? Is the App built on open source software? Are developers willing to provide transparency about their algorithms in line with EU Governance Framework on Algorithmic Accountability and Transparency or Guidance from the European Data Protection Board? Contact tracing Apps and other Coronavirus-inspired technologies provide great opportunities, but also pose high risks to data protection, GDPR compliance and cybersecurity. Companies and organisations should work transparently and in an accountable manner.

Cybersecurity Threats, Cybercrime, Hackers and Scammers

The UK National Cyber Security Centre (NCSC) and the US Department for Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA)  have issued a joint advisory detailing how the Covid-19 global pandemic is being exploited by cybercriminals and advanced persistent threat (APT) groups. A significant number of malicious cyber actors are using the Covid-19 pandemic for their own objectives. All over the world, there have been increased ransomware attacks, phishing emails, social engineering, malware, email spoofing, text message scams (SMS phishing) and attacks against newly installed working from home systems. Cybercriminals and hackers are constantly attacking IT infrastructure, corporate networks, information systems, online services and applications. Business organisations and staff are encouraged to apply official guidance to mitigate these threats, encourage staff to spot potential attacks, train staff to “refuse to click, or delete” suspicious material and encourage IT leaders to update their staff awareness and reduce the risk of human error.

Encroachments on Employee Privacy

The World Economic Forum and Pew Research Centre have examined employee working from home practices in several countries, before the Covid-19 pandemic. Coronavirus has caused rapid and exponential growth in teleworking and working from home, around the world. Many of these arrangements were set up quickly with limited vendor due diligence, cybersecurity testing, data protection (privacy) impact assessments and staff training. There has also been a proliferation of personal data collected and stored on employer’s systems. Medical data, healthcare information, video and sound recordings, geolocation data, images and sounds of family members, biometric data, online tracking data and other sensitive and special categories of data have risen rapidly. Over time, companies and organisations must reassess their record management policies, retention schedules, data protection policies, GDPR compliance and cybersecurity protocols. The volume and types of new personal data creates increased data protection, GDPR and cybersecurity risks.

The Effect of New Data Protection Laws 

The GDPR inspired a rapid expansion of data protection laws around the world since 2016. The California Consumer Privacy Act (CCPA) came into force in January 2020 and enforcement is set to begin on 1 July 2020 by the California Attorney General. Even though a cross-sector group of companies, associations and organisations have requested that CCPA enforcement should be postponed because of Covid-19, enforcement will begin in July 2020. Companies and organisations around the world that fall within the scope of CCPA should continue their CCPA compliance programmes, focus on the most high-risk data sets and closely monitor their cybersecurity risk exposure. Brazil’s General Data Protection Law (LGPD), due to come into force on 1 August 2020 has been postponed until 1 January 2021 because of Covid-19. Administrative rules, sanctions and penalties will be enforced after 1 August 2021.

Reducing the Risk of Future Regulatory Scrutiny

Companies and organisations should maintain high data governance standards even though there is a pause in the progress of new data protection laws or the pragmatic enforcement of established laws and standards by certain regulators.  The UK Information  Commissioner’s Office and Ireland’s Data Protection Commission have indicated that they will take into account the context of Convid-19 in their enforcement.  Decisions made during the Covid-19 crisis will be judged months and years after the pandemic has subsided. The seeds for future GDPR and cybersecurity breaches could be inadvertently planted during the lockdown period. The key principles of lawfulness, fairness, notice, consent, transparency, accountability, data minimisation and cybersecurity resilience always apply. Trade-offs may be inevitable, but companies and organisations should always aim for win-win outcomes.

Briefing

Companies and organisations have had four years to implement the EU’s General Data Protection Regulation (GDPR), since it became law in 2016. May 2020 marks two years since enforcement of the law by the EU’s twenty-eight GDPR regulators began. GDPR has transformed global data governance standards and expectations. It has created a new lexicon for data protection, new responsibilities, new rights, new processes, new governance tools and has empowered the Data Protection Officer (DPO). GDPR compliance requires more than generalised assurances of privacy or data security. The requirements can be exacting, and companies and organisations must demonstrate compliance and accountability to prove their competence. The most forward-looking organisations now leverage data protection as a key market differentiator, a trust-building asset and a catalyst for data and cybersecurity innovation. The marketplace and individuals are now placing companies and organisations on an emerging spectrum of data ethics, seen through the prism of privacy by design, security by design, data minimisation, transparency and accountability. There are many lessons for boards and leadership teams and key issues to prioritise.

EU GDPR Regulators, Capacity Building, Enforcement and Fines

The GDPR can only be as effective as the levels and quality of enforcement that takes place. The GDPR required most EU data protection regulators to increase their staff, resources and working practices to deal with the sharp increases of GDPR complaints that arrived on and after May 2018. Since then, there have been  few multi-million Euro fines and some commentators have wrongly concluded that the GDPR has not been effective. GDPR regulators in France, United Kingdom, Germany, Italy, Netherlands and Spain have been the most high-profile and active in enforcement, but most of their output has been to publish detailed guidance, legally binding Codes of Practice and to put forward strategic positions on new and emerging technologies such as artificial intelligence, adtech, cookies, tracking technologies and privacy by design for children’s online services. Early enforcement has focussed on public sector bodies and smaller organisations. Several GDPR regulators had put in place GDPR enforcement moratoriums between May 2018 and May 2019 in order to build their capacity and to reduce their 2018 complaints backlogs. For some GDPR regulators, there has only been twelve months of proactive enforcement. The over-reporting of low risk personal data breaches since May 2018 has diverted much GDPR regulator time and resources.

Overall, GDPR regulators have been cautious in issuing high value fines. When EU-wide enforcement decisions are assessed together, it is clear that GDPR regulators are actively building a strong body of decisions, opinions, legally enforceable codes of practice and lower-level fines which will increasing expose GDPR compliance outliers. These will form the basis of future fines and more aggressive enforcement, especially for basic non-compliance and repeat complaints.

The European Data Protection Board (EDPB), which brings together all twenty-eight GDPR regulators, has been under-utilised, although its opinions, consultations and decisions are regarded as offering high quality GDPR legal interpretation and application. The EDPB’s work has focussed on its internal capacity building, work with other EU institutions and administering the twenty-eight GDPR regulator projects and meetings. A change of emphasis towards sharing large and high-profile investigations, constantly rebalancing resources to speed up enforcement decisions across all the EU regulators and actively supporting small and newer GDPR regulators would improve GDPR enforcement outputs. Taking a lead on globally significant cross-cutting issues such as data protection in politics, privacy-invasive technologies, data protection and market competition and privacy-enhancing cybersecurity, could systematically increase GDPR application and reduce individual complaints.  The EDPB could better use the powers it has in the GDPR to develop its unique voice and contributions. Board and leadership teams should continue to monitor how GDPR regulators are incrementally dictating the rules of the road for data governance and information security, especially for new and emerging technologies. The GDPR decisions of the EU’s highest courts, and the courts of each EU member state should also be monitored. These decisions can have immediate impacts on business models, data protection risks, supply chain data exposure and market positioning.

Data Protection Officers (DPOs)

Data Protection Officers are one of the GDPR’s most powerful tools. They are mandated to report to the highest level of management in companies and organisations, must have enough resources, must act independently, must be protected from penalty and intimidation and all have a duty to co-operate with GDPR regulators.  Individuals can contact DPOs directly, public bodies must appoint DPOs and their knowledge of the data and security ecosystem and organisational supply chains make them unique and formidable net contributors. They can also help to influence and shape data governance, cybersecurity risk appetite and data ethics.

However, there is a shortage of senior DPOs in the EU and around the world.  Too many DPOs are not as well paid as they should be and some lack the required status, influence and respect within organisations. Often, their ability to access the board and senior leadership team is mediated by unnecessary layers of management and bureaucracy. It is common to find that named DPOs often perform other management roles within the organisation that can conflict with their DPO role and affect their independence. Many DPOs are not consulted and included early enough, within projects, so that privacy by design work and data protection impact assessments can inform key decisions. External DPOs and Data Protection Officer as a Service (DPOaaS) are growing service offerings but it will take time to diversity these offerings and provide more innovative solutions. Boards and leadership teams must actively review the position, role and tasks of DPOs. Their reporting structures, resources and their contribution must be analysed. EU, EDPB and guidance from each of the EU’s GDPR regulators, where applicable, should be incorporated into organisations to increase GDPR compliance. DPOs must work in close partnership with Chief Information Officers and Chief Information Security Officers. Communication between DPOs, the board, senior leadership team, the C-Suite and operational heads should be easy, transparent, trusting and purposive. DPOs should be acknowledged as key asset guardians, critical friends and enablers.

Privacy by Design and Data Protection Impact Assessments

Before GDPR, Privacy by Design principles were practiced in highly regulated sectors and often only in the largest and most innovative organisations. GDPR has democratised and added Privacy by Design, Privacy by Default and Data Protection Impact Assessments (DPIAs) firmly into the data governance lexicon. These principles and data governance tools are expected to influence data flows, contribute to the design of new technologies and create a framework for risk-analysis, mitigation and review throughout data life cycles. GDPR regulators are beginning to request evidence of these. In the public sector, government bodies are increasingly expected to publish assessments of their digital transformation projects, smart cities initiatives, coronavirus covid-19 contact tracing apps and facial recognition technology projects.  Boards and leadership teams, should encourage a culture of data protection impact and data risk analysis, fully engage with these evaluations, monitor outputs and encourage their supply chains to demonstrate compliance, especially cloud services and emerging technologies.

Cybersecurity Takes Centre Stage

Information Security and Cybersecurity expectations were not fully developed in the pre-GDPR EU data protection laws. The GDPR has pulled these topics to the centre stage, allowing companies and organisations to address data protection and cybersecurity in a more integrated way. Personal data breach fines, notifications to regulators, notifications to data breach victims, data processor cybersecurity requirements and clearer risk-based information security analysis based on the costs, context, purpose and state of the art in information security are GDPR innovations. The power and impact of this is shown in the over reporting of information security incidents between 2018 and 2019 by many organisations in the EU.

Pseudonymisation, encryption, confidentiality, integrity, availability and testing are all specifically written into the GDPR. Detailed guidance has been issued by various GDPR regulators across the EU, and many provide online personal data breach reporting. The growth of cybersecurity monitoring, real-time reporting and breach incident management software continues. GDPR personal data breaches are widely reported in the media. GDPR has added momentum to existing efforts to publicise the impact of data breaches on organisations’ reputation, share price, consumer trust, user engagement, market share and profits. As a result of this, boards and senior leaders must remain fully engaged with their cybersecurity risk profile and encourage their teams to risk-assess their supply chains, practice data breach drills, purchase effective cybersecurity insurance, apply relevant GDPR regulator guidance, train staff and partners and empower their entire organisations to actively remain within a framework of information security resilience.

GDPR, Global Soft Power and Future Expansion

The GDPR exerts soft geopolitical power, bilateral trade power and is an engine for the international growth of data ethics and security by design. For example, GDPR was a key component in the EU-Japan Economic Partnership (Trade) Agreement in 2019 and the accompanying Japan Data Protection Adequacy Decision in 2019. GDPR and personal data flows are also key themes in the EU-UK Brexit trade deal negotiations taking place in 2020. The key question in Brexit is whether the EU will grant the UK data protection adequacy status or will both sides concede that the UK should be treated as an outsider “third country” for data protection and GDPR purposes. The GDPR has become the global reference point for data protection standards and has inspired new draft laws, updates of established laws and new enactments in Australia, Brazil, California (USA), India, Jamaica, Japan, South Korea and Thailand, with more countries to follow. In the USA, numerous states now have draft laws and the US Federal government also has a range of similar draft laws to consider.

Companies and organisations are actively seeking ways to develop data ethics frameworks for data use and data sharing around the world. GDPR is maturing previously nascent data governance ideas and creating new tools and a language that boards and leadership teams must understand, analyse and implement. After two years of GDPR implementation, the European Commission is not proposing major changes to the GDPR’s legal text. It believes that the law and how it can be applied are sufficiently intuitive and adaptable. EU GDPR policy makers are keen to see the law interpreted and applied to all new and emerging technologies. GDPR enforcement in the form of high impact fines will come. For now, GDPR is not actively expanding in scope, but it is broadening its application while also discreetly consolidating and strengthening its EU and global impact.

Briefing

The impact of the United Kingdom leaving the European Union on 31 January 2020 (Brexit) on UK/EU personal data flows and General Data Protection Regulation (GDPR) compliance will soon become clear.  The short transition period, which ends on December 31, 2020 creates a buffer zone, but companies and organisations must plan for various outcomes on 1 January 2021 and beyond. Individual rights, supply chains and the flow of trade could be affected. Boards and leadership teams need clear strategy, creativity, communication and responsiveness to adapt to the emerging political, economic and data realities. Target operating models for brexit-affected personal data flows should be agile and pragmatic.

1. Degrees of Divergence

Boards and leadership teams must closely monitor how much regulatory divergence the UK and EU accepts. Divergence is inevitable, it is the natural consequence of the UK leaving the EU.  However, the key question is a political and economic one: what will be the extent of UK regulatory divergence from the EU in the final trade agreement (if one is agreed)? Data is at the heart of global trade, innovation and is increasingly crucial in bilateral trade deals. Current political and economic positioning will define personal data flows and GDPR compliance long into the future. The EU asserts that a non-member should not have the same rights and access to its internal market as EU members but prefers a regulatory level playing field with the UK. The UK insists that it seeks regulatory freedom to govern itself free from the EU single market, institutions, systems, laws and courts. Where will both sides place data protection in their list of priorities? Is there room for enlightened pragmatism on personal data governance?

https://privacysolved.com/wp-content/uploads/2024/04/uk-eu-flags-brexit-data-protection-gdpr-1024x768-1.jpg

2. Personal Data in Supply Chains

Modern supply chains are increasingly dynamic, empowered by mergers and acquisitions, low interest rates on borrowing for corporate expansion, investments from sovereign wealth funds, hedge fund-backed takeovers and tax-friendly globalisation. Supply chains can change quickly, data ownership can be transferred instantaneously, and rapid data sharing enabled by 5G and cloud data storage. Brexit complicates this picture even further. Since the 2016 brexit decision, many businesses and organisations have been in a state of constant reorganisation. Staff have been relocated, new EU businesses established, capital and assets redirected to the EU and business models modified. Boards and leadership teams should be clear about their priorities and communicate these to their supply chain partners. They should also risk assess their suppliers based on value, impact and the risks of change. Data Protection Officers and Privacy Leaders should plan to update data protection notices, data protection polices, contract clauses about GDPR and schedule ongoing supply chain reviews.

3. UK Adequacy Decision

The EU has the power to grant the UK a data protection adequacy decision stating that the UK provides an adequate level of data protection comparable to the EU. This would allow the EU to reduce the GDPR regulatory hurdles on the UK’s ability to transfer personal data. The UK intends to apply to the EU for a decision, based on its existing GDPR alignment. However, the adequacy process includes wide-ranging investigations and a formal decision of the European Commission in consultation with other EU bodies. The decision is unlikely to be made for many months and it may become entangled in the UK/EU trade agreement negotiations occurring throughout 2020. An adequacy decision requires UK data protection alignment, reliable UK enforcement and minimal divergence. Without an adequacy decision for the UK, or a delayed decision, the risk to UK/EU personal data flows and the costs to businesses and organisations significantly increases.

4. Replacing the UK Information Commissioner’s Office (ICO) as an EU GDPR Lead Supervisory Authority, GDPR One Stop Shop Authority and GDPR Binding Corporate Rules (BCR) Approval Authority

Boards and leadership teams need to review their previous analysis of the UK ICO as their lead Supervisory Authority for GDPR, their GDPR One Stop Shop Authority and the authority to which their GDPR Binding Corporate Rules can be submitted and agreed. Alternative EU Supervisory Authorities should be considered and selected to replace the UK ICO’s existing role for these activities, to properly comply with GDPR over the longer term. Expert advice may be required to imbed these changes. For the largest companies and organisations, the transition period should be used to consider and begin to action these changes, if this work has not yet been done.

5. New Appropriate Safeguards for International Data Transfers

Where there is no UK data protection adequacy agreement, Boards and leadership teams must empower their organisations to adopt new appropriate safeguards to facilitate EU/UK personal data transfers. EU Standard Contractual Clauses are the most common solution, but the data exporter must be in the EU and the data importer outside the EU, so these will not typically facilitate data transfers from the UK to the EU, after the transition period. The existing EU/US Privacy Shield will no longer cover the UK (for UK to USA data transfers) unless a UK version is created and agreed. Binding Corporate Rules are a stable solution, but these cover only intra-group personal data transfers and take a long time to prepare and receive approval from EU data protection Supervisory Authorities. Boards and leadership teams must be creative, pragmatic and responsive to their supply chains, clients, staff and partners.

Since May 2018, companies and organisations have been given time to fully come to terms with the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018. This is both an enlightened approach to enforcement and a practical necessity.  Rushed enforcement could compromise the quality of decisions and trust in the UK’s and EU’s data protection regulators.

During this pause in enforcement, several EU regulators set up new systems, increased staff and in some cases reinvented themselves. At the same time, many EU regulators were inundated with complaints and personal data breach notifications which stretched their resources and extended their response times. In addition to this, all EU regulators are now legally required to consult each other about key decisions to encourage transparency and consistent interpretation across the EU. However, enforcement, including fines, have now begun and these will increase in frequency and impact in the coming months and years.

GDPR Enforcement

GDPR enforcement

GDPR enforcement and interpretation will come from various sources. As a result, companies and organisations should look beyond the UK Information Commissioner’s Office to test and update their data governance standards, GDPR compliance and cyber security resilience. Firstly, the European Data Protection Board (EDPB) is a key player, acting as the EU’s super regulator for data protection. Its published opinions and guidance are highly respected in interpreting and applying GDPR. Secondly, the UK and EU courts will play an increasing role, because these courts are currently considering key cases that could redefine the boundaries of the GDPR, including for key pre-GDPR tools like EU Standard Contractual Clauses, for international data transfers. These court decisions could require changes to current commercial deals and past contractual arrangements at great expense to businesses.

Thirdly, high quality sector and industry-produced data protection codes of practice and certifications will be increasingly considered as baseline compliance and become standards against which relevant GDPR and cybersecurity practices will be judged. Fourthly, companies and organisations must look at other key data protection regulators around the world, such as the US Federal Trade Commission whose data privacy decisions about the largest US technology companies, will affect countless other companies and organisations in the UK. Finally, for UK and Irish organisations, the type of Brexit that is agreed will determine the future reality of UK GDPR enforcement and the status of critical personal data flows in and out of the EU, after any exit.

Companies and organisations must get the basics of GDPR right

Key LessonsKey Lessons

Key lessons can be learnt from the first fines, enforcement decisions and guidance in the UK, France, Germany, Netherlands and elsewhere.  Accountability is a key principle in the GDPR. It is now clear that cybersecurity breaches will lead to large fines, where a lot of personal data are lost or stolen, even after simple human error or where flaws are discovered in the organisation’s procedures.

Companies and organisations must get the basics of GDPR right, such as clearly informing individuals about data use and having fair, simple and transparent consent processes. The data protection risks attached to new technologies such as adtech, artificial intelligence and facial recognition must be subjected to robust Data Protection Impact Assessments and the outcomes of these must clearly inform how personal data are used. Privacy by Design and privacy by default are central to effective compliance, these are not mere add-ons. Crucially, Data Protection Officers must be qualified, well trained, independent, give frank advice and be empowered to make decisions and act.

Time for clear analysis, reality checks and action

Time for clear analysis, reality checks and action

Amid the flurry of activity generated by fines, enforcement decisions, GDPR opinions, guidance, codes of practice and certifications, companies and organisations must remain composed, outcome-focussed and yet, adaptable. Relevant GDPR and cybersecurity developments must be identified, interpreted and effectively applied to the organisation, allowing agreed new norms to be absorbed into the operations.

GDPR, cybersecurity, legal, audit and operational perspectives must be gathered and rationalised. For present and future GDPR and cybersecurity enforcement, the question is no longer have you complied and how. It is more demanding.

Why has compliance been done in that way, what risks have been identified and how have these risk levels been effectively and continuously addressed? This requires very clear analysis, ongoing review, an understanding of the limits of the law, knowledge of the shades of interpretation as well as an awareness of the challenges of real-life GDPR application. Fines and enforcement always test theories and best intentions against reality.

Client Success Stories: What Our Partners Say

Our clients’ testimonials are the performance indicators PrivacySolved values most. These keep us focused on excellent delivery, while never losing sight of the evolutionary nature of our clients’ needs, our expertise and the need for continuous improvement.

Privacy Solved Icon

Chief Digital Officer

Government

“The PrivacySolved team is very specialist, it is great that they have that level of specialist knowledge. We need it and we really appreciate it.”

Privacy Solved Icon

Board Member

Public Body (Scotland)

“You have brought more than Data Protection Officer services. It has been a journey.”

Privacy Solved Icon

Independent Commissioner and Adjudicator

Public Safety Agency

“Concise, on point and like a comfort blanket. Thank you for your help throughout.”

Privacy Solved Icon

Vice President

Global Enterprise Technology Company

“PrivacySolved has helped us mature our data privacy and governance program, including assisting with the development of the Privacy by Design and Privacy Risk Register assessments.  A big thank you to the PrivacySolved team for all their help.”

Partnerships &
Memberships 2024

grow-global
cyber-essentials
canada - united kingdom logo
iapp logo
Excello law Logo
ohalo-logo
The caribbean council logo
Logo-2-2-Copy-Copy-1
eu-ai-alliance-3_0
great-b-logo

Take the next step

PrivacySolved can empower your real-time response to Data Breaches or Cyber Attacks globally, around the clock and across time zones. At any time, you also can activate our global data privacy expertise, DPOs, vCISOs, cybersecurity strategy and responsible AI services.

Click below to start the most important conversation you’ll have this year.

Get 24/7 Data Breach Help
privacy solved logo

Services

Information

Legals

© Copyright 2025 PrivacySolved. All rights reserved. Website by Jerboa.

Contact Us