Briefing
Companies and organisations have had four years to implement the EU’s General Data Protection Regulation (GDPR), since it became law in 2016. May 2020 marks two years since enforcement of the law by the EU’s twenty-eight GDPR regulators began. GDPR has transformed global data governance standards and expectations. It has created a new lexicon for data protection, new responsibilities, new rights, new processes, new governance tools and has empowered the Data Protection Officer (DPO). GDPR compliance requires more than generalised assurances of privacy or data security. The requirements can be exacting, and companies and organisations must demonstrate compliance and accountability to prove their competence. The most forward-looking organisations now leverage data protection as a key market differentiator, a trust-building asset and a catalyst for data and cybersecurity innovation. The marketplace and individuals are now placing companies and organisations on an emerging spectrum of data ethics, seen through the prism of privacy by design, security by design, data minimisation, transparency and accountability. There are many lessons for boards and leadership teams and key issues to prioritise.
EU GDPR Regulators, Capacity Building, Enforcement and Fines
The GDPR can only be as effective as the levels and quality of enforcement that takes place. The GDPR required most EU data protection regulators to increase their staff, resources and working practices to deal with the sharp increases of GDPR complaints that arrived on and after May 2018. Since then, there have been few multi-million Euro fines and some commentators have wrongly concluded that the GDPR has not been effective. GDPR regulators in France, United Kingdom, Germany, Italy, Netherlands and Spain have been the most high-profile and active in enforcement, but most of their output has been to publish detailed guidance, legally binding Codes of Practice and to put forward strategic positions on new and emerging technologies such as artificial intelligence, adtech, cookies, tracking technologies and privacy by design for children’s online services. Early enforcement has focussed on public sector bodies and smaller organisations. Several GDPR regulators had put in place GDPR enforcement moratoriums between May 2018 and May 2019 in order to build their capacity and to reduce their 2018 complaints backlogs. For some GDPR regulators, there has only been twelve months of proactive enforcement. The over-reporting of low risk personal data breaches since May 2018 has diverted much GDPR regulator time and resources.
Overall, GDPR regulators have been cautious in issuing high value fines. When EU-wide enforcement decisions are assessed together, it is clear that GDPR regulators are actively building a strong body of decisions, opinions, legally enforceable codes of practice and lower-level fines which will increasing expose GDPR compliance outliers. These will form the basis of future fines and more aggressive enforcement, especially for basic non-compliance and repeat complaints.
The European Data Protection Board (EDPB), which brings together all twenty-eight GDPR regulators, has been under-utilised, although its opinions, consultations and decisions are regarded as offering high quality GDPR legal interpretation and application. The EDPB’s work has focussed on its internal capacity building, work with other EU institutions and administering the twenty-eight GDPR regulator projects and meetings. A change of emphasis towards sharing large and high-profile investigations, constantly rebalancing resources to speed up enforcement decisions across all the EU regulators and actively supporting small and newer GDPR regulators would improve GDPR enforcement outputs. Taking a lead on globally significant cross-cutting issues such as data protection in politics, privacy-invasive technologies, data protection and market competition and privacy-enhancing cybersecurity, could systematically increase GDPR application and reduce individual complaints. The EDPB could better use the powers it has in the GDPR to develop its unique voice and contributions. Board and leadership teams should continue to monitor how GDPR regulators are incrementally dictating the rules of the road for data governance and information security, especially for new and emerging technologies. The GDPR decisions of the EU’s highest courts, and the courts of each EU member state should also be monitored. These decisions can have immediate impacts on business models, data protection risks, supply chain data exposure and market positioning.
Data Protection Officers (DPOs)
Data Protection Officers are one of the GDPR’s most powerful tools. They are mandated to report to the highest level of management in companies and organisations, must have enough resources, must act independently, must be protected from penalty and intimidation and all have a duty to co-operate with GDPR regulators. Individuals can contact DPOs directly, public bodies must appoint DPOs and their knowledge of the data and security ecosystem and organisational supply chains make them unique and formidable net contributors. They can also help to influence and shape data governance, cybersecurity risk appetite and data ethics.
However, there is a shortage of senior DPOs in the EU and around the world. Too many DPOs are not as well paid as they should be and some lack the required status, influence and respect within organisations. Often, their ability to access the board and senior leadership team is mediated by unnecessary layers of management and bureaucracy. It is common to find that named DPOs often perform other management roles within the organisation that can conflict with their DPO role and affect their independence. Many DPOs are not consulted and included early enough, within projects, so that privacy by design work and data protection impact assessments can inform key decisions. External DPOs and Data Protection Officer as a Service (DPOaaS) are growing service offerings but it will take time to diversity these offerings and provide more innovative solutions. Boards and leadership teams must actively review the position, role and tasks of DPOs. Their reporting structures, resources and their contribution must be analysed. EU, EDPB and guidance from each of the EU’s GDPR regulators, where applicable, should be incorporated into organisations to increase GDPR compliance. DPOs must work in close partnership with Chief Information Officers and Chief Information Security Officers. Communication between DPOs, the board, senior leadership team, the C-Suite and operational heads should be easy, transparent, trusting and purposive. DPOs should be acknowledged as key asset guardians, critical friends and enablers.
Privacy by Design and Data Protection Impact Assessments
Before GDPR, Privacy by Design principles were practiced in highly regulated sectors and often only in the largest and most innovative organisations. GDPR has democratised and added Privacy by Design, Privacy by Default and Data Protection Impact Assessments (DPIAs) firmly into the data governance lexicon. These principles and data governance tools are expected to influence data flows, contribute to the design of new technologies and create a framework for risk-analysis, mitigation and review throughout data life cycles. GDPR regulators are beginning to request evidence of these. In the public sector, government bodies are increasingly expected to publish assessments of their digital transformation projects, smart cities initiatives, coronavirus covid-19 contact tracing apps and facial recognition technology projects. Boards and leadership teams, should encourage a culture of data protection impact and data risk analysis, fully engage with these evaluations, monitor outputs and encourage their supply chains to demonstrate compliance, especially cloud services and emerging technologies.
Cybersecurity Takes Centre Stage
Information Security and Cybersecurity expectations were not fully developed in the pre-GDPR EU data protection laws. The GDPR has pulled these topics to the centre stage, allowing companies and organisations to address data protection and cybersecurity in a more integrated way. Personal data breach fines, notifications to regulators, notifications to data breach victims, data processor cybersecurity requirements and clearer risk-based information security analysis based on the costs, context, purpose and state of the art in information security are GDPR innovations. The power and impact of this is shown in the over reporting of information security incidents between 2018 and 2019 by many organisations in the EU.
Pseudonymisation, encryption, confidentiality, integrity, availability and testing are all specifically written into the GDPR. Detailed guidance has been issued by various GDPR regulators across the EU, and many provide online personal data breach reporting. The growth of cybersecurity monitoring, real-time reporting and breach incident management software continues. GDPR personal data breaches are widely reported in the media. GDPR has added momentum to existing efforts to publicise the impact of data breaches on organisations’ reputation, share price, consumer trust, user engagement, market share and profits. As a result of this, boards and senior leaders must remain fully engaged with their cybersecurity risk profile and encourage their teams to risk-assess their supply chains, practice data breach drills, purchase effective cybersecurity insurance, apply relevant GDPR regulator guidance, train staff and partners and empower their entire organisations to actively remain within a framework of information security resilience.
GDPR, Global Soft Power and Future Expansion
The GDPR exerts soft geopolitical power, bilateral trade power and is an engine for the international growth of data ethics and security by design. For example, GDPR was a key component in the EU-Japan Economic Partnership (Trade) Agreement in 2019 and the accompanying Japan Data Protection Adequacy Decision in 2019. GDPR and personal data flows are also key themes in the EU-UK Brexit trade deal negotiations taking place in 2020. The key question in Brexit is whether the EU will grant the UK data protection adequacy status or will both sides concede that the UK should be treated as an outsider “third country” for data protection and GDPR purposes. The GDPR has become the global reference point for data protection standards and has inspired new draft laws, updates of established laws and new enactments in Australia, Brazil, California (USA), India, Jamaica, Japan, South Korea and Thailand, with more countries to follow. In the USA, numerous states now have draft laws and the US Federal government also has a range of similar draft laws to consider.
Companies and organisations are actively seeking ways to develop data ethics frameworks for data use and data sharing around the world. GDPR is maturing previously nascent data governance ideas and creating new tools and a language that boards and leadership teams must understand, analyse and implement. After two years of GDPR implementation, the European Commission is not proposing major changes to the GDPR’s legal text. It believes that the law and how it can be applied are sufficiently intuitive and adaptable. EU GDPR policy makers are keen to see the law interpreted and applied to all new and emerging technologies. GDPR enforcement in the form of high impact fines will come. For now, GDPR is not actively expanding in scope, but it is broadening its application while also discreetly consolidating and strengthening its EU and global impact.