August 2019 Issue
After arriving amid a chorus of concern, even foreboding, the European Union’s General Data Protection Regulation (GDPR) has steadily bedded-in and has now passed its first anniversary – no longer deemed an instrument of fear, uncertainty and doubt.
Moreover, with legislators having had the opportunity to observe the GDPR’s impact on how companies are now handling personal data, it is an opportune time to reflect on what has been a seismic shift in the data privacy landscape.
Looking back, what key changes has the GDPR obliged companies to make? What do we now know about how the regulation operates in practice? And what impact have compliance requirements had on creating and implementing a new data culture in the workplace?
Generational paradigm shift
Taking stock of the regime, many commentators characterise the GDPR as nothing less than a landmark piece of data privacy legislation – a law that has swept away the possessive mentality that companies are generally presumed to have had toward the use and retention of personal data.
“The GDPR is a generational paradigm shift,” says Ross McKean, a partner at DLA Piper. “It has completely transformed the risk profile for organisations collecting and using personal data. We have transitioned from a regime where maximum fines across the EU were rarely more than six figures to a regime with real teeth. Regulators now enjoy the power to impose revenue-based fines of up to 4 percent of total worldwide annual turnover.”
Another consequence of the new privacy rules is the rise of group litigation, with several high-profile claims – often involving potential damages in the hundreds of millions – progressing through courts in a number of EU Member States. “Non-compliance has just got a lot more risky,” believes Mr McKean. “Given the publicity surrounding the GDPR, there has been a sizeable uptick in individuals exercising their GDPR rights, often as a lever in disputes.”
Implementing a new data culture
As many companies have discovered over the last year or so, embedding a culture of privacy best practice can be challenging. That said, there are ways in which to create a positive culture while overcoming the obstacles inherent in handling personal data.
“As with any area of compliance there are a range of approaches and levels of maturity,” suggests Mr McKean. “Some organisations have spent many millions already on transforming data flows and implementing controls to address the GDPR, as well as the increasing number of GDPR-like laws globally, such as the new California Consumer Privacy Act (CCPA). This often entails a deep dive data mapping exercise, policy drafting and training.
“Legacy systems and processes are a greater challenge than new systems and processes, as it is easier to configure and design afresh than reconfigure and rebuild legacy,” he continues. “Data minimisation and data retention are common challenges for companies, particularly those that have seen value in collecting ever richer user profiles on the basis that this will drive revenue.”
Mr McKean also notes the difficulties the financial services (FS) sector in particular is having with the GDPR, with FS companies oscillating between FS regulators, who have historically encouraged the retention of data, and the new GDPR regime, which requires lawful grounds for preserving data and favours deletion as the default option.
Biggest shake-up in a generation
So, over a year on from the biggest data protection shake-up in a generation, companies are continuing to review their business models, as well as rethinking and redesigning their sales and marketing approaches in order to remain on the right side of the GDPR.
“The GDPR and its enforcement will continue to drive better data stewardship practices, though this will take time,” believes Mr McKean. “There is already a notable change in perception of personal data. It is no longer being viewed by many organisations as ‘their’ data to use as they wish, but rather as their customers’ or staff data which they are permitted to use for legitimate lawful purposes.
“There remain many open legal questions under the GDPR and enforcement will, over time, help to answer some of these,” he continues. “What is already clear from early enforcement action is that the business model of offering ‘free’ internet services by monetising user profiles for advertising is squarely in the regulatory crosshairs.”
Going forward, it is essential for companies to improve their staff awareness training and their processes for identifying and reporting data privacy breaches. Moreover, with the penalties for GDPR non-compliance severe and the potential for reputational damage considerable, there is simply no room for complacency.
© Financier Worldwide