Risk and ComplianceSecurity

GDPR One Year Later: What Have We Learned?

Katie StevensJoel Wuesthoff
September 27, 2019
5 min read

Remember how crazy things were last year at this time, when the world was wondering what impact the General Data Protection Regulation (GDPR) would have? The European Union regulation on data protection and privacy for all individual citizens of the European Union and the European Economic Area, which also addresses the transfer of personal data outside the EU and EEA areas was definitely top of mind for many. In fact, in May 2018, the topic GDPR was Google-searched more than Beyonce and Kim Kardashian.

As we were preparing for a recent webinar on the topic of where we find ourselves with GDPR in 2019, we crunched some numbers that give us outstanding insight into our current state. Take a look at these numbers:

Over a quarter million cases have been received and over a half million individuals have registered as Data Protection Officers (DPOs), indicating that demand for privacy professionals has increased since the advent of GDPR, particularly when one considers that hundreds of clients may be served by a single DPO. Each Data Processing Agreement (DPA), required under the GDPR, is an agreement between the data controller and data processor which attests that the data processor is complying with relevant GDPR requirements. The DPA demonstrates that both the data controller and data processor are:

  • Aware of and committed to complying with the GDPR
  • Protecting the personal data of customers, staff and others (as applicable), and
  • Clear about their respective roles concerning the personal data being processed.

Over the past year, there have been some notable enforcements, including:

  • Google: Fined €50,000,000 in France for lack of transparency, non-compliant privacy notice and violation of consent requirements
  • British Airways : Fined £183.4 million (approximately $229 million USD) in the United Kingdom for “poor security arrangements” that led to the break of personal data of 500,000 customers
  • Portugal: A local hospital was fined €400,000 for non-compliant access to privacy data, as too many people had access to patient records.

This chart from Cisco demonstrates where the most significant challenges occurred as organizations prepared for GDPR:

Clearly, there were a number of lessons learned, with these being the ones we believe are most critical:

  • Good policies and prompt notices will help reduce fines
  • Lack of clear and transparent communications to data subjects will result in complaints; good policies and procedures are necessary
  • Organizations should obtain legal opinion to validate legal bases and consent management practices
  • Organizations should also implement effective data retention and data minimization practices (automation is key) and evaluate the risk of data processing to reduce the risk of data security and breach.

As we mentioned during our webinar, these steps are critical success factors. The process for readying the organization will take longer and will involve more resources than anticipated – in the work we’ve seen so far, that’s been a consistent pattern, regardless of the size or scope of the client organization.

Is Your Organization Prepared?

So, what’s an organization to do in 2019 to ensure it has the right compliance practices in place? During our recent webinar, we polled the audience, asking: have you conducted a GDPR audit or verified internal compliance effort? 61.7 percent of the webinar audience responded no, and assuming this represents the larger audience of organizations impacted by GDPR, there is still clearly ground to cover.

Audits play an important role in preparedness. While Article 58.1(b) of the GDPR contains a provision giving the supervisory authorities power to carry out investigations in the form of compulsory data protection audits, the ICO predominantly conducts consensual audits. The audit will review whether the organization has effective controls in place, alongside fit-for-purpose policies and procedures to support data protection obligations. The ICO will also check to determine whether the organization is following data protection legislation as it applies to your specific organization. The resulting report makes recommendations on how to improve. It is important to note that a consensual audit is not an investigation, and gives organizations an opportunity to fix identified issues without incurring fines.

We’ve learned that demonstrating compliance through an accountability approach requires more work than simply showing that compliance requirements have been met. This approach enables organizations to: 1) demonstrate how the GDPR requirements are being met by establishing a specific set of controls, 2) assign ownership for implementing and operating defined controls, and 3) obtain evidence that the controls are operating effectively. These three elements MUST be documented in order to achieve GDPR compliance. Overall, the scope of GDPR assessment areas will include:

It’s difficult to predict how things might stack up around GDPR a year from now. Today, many organizations are bracing for the impact of the California Consumer Privacy Act (CCPA), which is similar in many ways to the GDPR. One thing is certain, we will continue to see interest in data privacy regulations take top priority around the world. Being ready is a smart defensive tactic.

To register for our GDPR One Year Later webinar replay, click here.

Katie Stevens

Director
Security and Privacy

View all posts

Joel Wuesthoff

Managing Director
Legal Consulting

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More