GDPR One Year Later: What Have We Learned?

Remember how crazy things were last year at this time, when the world was wondering what impact the General Data Protection Regulation (GDPR) would have? The European Union regulation on data protection and privacy for all individual citizens of the European Union and the European Economic Area, which also addresses the transfer of personal data outside the EU and EEA areas was definitely top of mind for many. In fact, in May 2018, the topic GDPR was Google-searched more than Beyonce and Kim Kardashian.

As we were preparing for a recent webinar on the topic of where we find ourselves with GDPR in 2019, we crunched some numbers that give us outstanding insight into our current state. Take a look at these numbers:

Over a quarter million cases have been received and over a half million individuals have registered as Data Protection Officers (DPOs), indicating that demand for privacy professionals has increased since the advent of GDPR, particularly when one considers that hundreds of clients may be served by a single DPO. Each Data Processing Agreement (DPA), required under the GDPR, is an agreement between the data controller and data processor which attests that the data processor is complying with relevant GDPR requirements. The DPA demonstrates that both the data controller and data processor are:

  • Aware of and committed to complying with the GDPR
  • Protecting the personal data of customers, staff and others (as applicable), and
  • Clear about their respective roles concerning the personal data being processed.

Over the past year, there have been some notable enforcements, including:

  • Google: Fined €50,000,000 in France for lack of transparency, non-compliant privacy notice and violation of consent requirements
  • British Airways : Fined £183.4 million (approximately $229 million USD) in the United Kingdom for “poor security arrangements” that led to the break of personal data of 500,000 customers
  • Portugal: A local hospital was fined €400,000 for non-compliant access to privacy data, as too many people had access to patient records.

This chart from Cisco demonstrates where the most significant challenges occurred as organizations prepared for GDPR:

Clearly, there were a number of lessons learned, with these being the ones we believe are most critical:

  • Good policies and prompt notices will help reduce fines
  • Lack of clear and transparent communications to data subjects will result in complaints; good policies and procedures are necessary
  • Organizations should obtain legal opinion to validate legal bases and consent management practices
  • Organizations should also implement effective data retention and data minimization practices (automation is key) and evaluate the risk of data processing to reduce the risk of data security and breach.

As we mentioned during our webinar, these steps are critical success factors. The process for readying the organization will take longer and will involve more resources than anticipated – in the work we’ve seen so far, that’s been a consistent pattern, regardless of the size or scope of the client organization.

Is Your Organization Prepared?

So, what’s an organization to do in 2019 to ensure it has the right compliance practices in place? During our recent webinar, we polled the audience, asking: have you conducted a GDPR audit or verified internal compliance effort? 61.7 percent of the webinar audience responded no, and assuming this represents the larger audience of organizations impacted by GDPR, there is still clearly ground to cover.

Audits play an important role in preparedness. While Article 58.1(b) of the GDPR contains a provision giving the supervisory authorities power to carry out investigations in the form of compulsory data protection audits, the ICO predominantly conducts consensual audits. The audit will review whether the organization has effective controls in place, alongside fit-for-purpose policies and procedures to support data protection obligations. The ICO will also check to determine whether the organization is following data protection legislation as it applies to your specific organization. The resulting report makes recommendations on how to improve. It is important to note that a consensual audit is not an investigation, and gives organizations an opportunity to fix identified issues without incurring fines.

We’ve learned that demonstrating compliance through an accountability approach requires more work than simply showing that compliance requirements have been met. This approach enables organizations to: 1) demonstrate how the GDPR requirements are being met by establishing a specific set of controls, 2) assign ownership for implementing and operating defined controls, and 3) obtain evidence that the controls are operating effectively. These three elements MUST be documented in order to achieve GDPR compliance. Overall, the scope of GDPR assessment areas will include:

It’s difficult to predict how things might stack up around GDPR a year from now. Today, many organizations are bracing for the impact of the California Consumer Privacy Act (CCPA), which is similar in many ways to the GDPR. One thing is certain, we will continue to see interest in data privacy regulations take top priority around the world. Being ready is a smart defensive tactic.

To register for our GDPR One Year Later webinar replay, click here.

Katie Stevens

Director
Technology Consulting – Security and Privacy

Joel Wuesthoff

Managing Director, Robert Half Legal
Consulting Services