Privacy professionals have now lived with EU General Data Protection Regulation compliance requirements for a full year. Many rebuilt, rewrote and revamped entire data protection programs.
So as we reflect a year later, what were their hits and misses?
The IAPP pulled together a group of GDPR thought leaders from law firms, companies and consultancies to seek their insight on what went well and what didn’t. What they shared offers a glimpse into the challenges and successes companies experienced in year one, as well as the work completed and still to be done. While their feedback is certainly not universally applicable, their assessments offer a useful calibration for privacy professionals wondering how they are faring with GDPR compliance in relation to their peers and where they should focus in year two.
The misses
Compliance just scratched the surface — Privacy requirements must be translated to products and services
The GDPR stakeholders we assembled thought many companies had barely scratched the surface of GDPR compliance in year one. Some organizations focused on revamping public-facing privacy policies but not on governance and accountability mechanisms. Others developed strong new privacy programs but have not yet pushed privacy requirements down into all products, services, systems and contracts. Legacy systems with unstructured data were cited as a leading challenge. Countless client and vendor contracts need updating.
In year two, they expect companies to focus on translating policy into practice.
DSARs overwhelmed – Automation to come
Many organizations built systems or processes to manage data subject access requests in-house. Some included manual workflows and individual querying of numerous systems. Such approaches were overwhelmed by massive influxes of data subject access requests.
While GDPR deadlines were met by the companies with which our respondents were familiar, the manpower required proved unsustainable. Companies feared negative press that might generate more requests than they could handle in the time GDPR allots. Practitioners noted that the challenge is likely even greater for small companies, though the risk of bad press is diminished. In year two, those we talked to expect a move toward automation and improvements in processes for handling access and deletion requests.
The role of the DPO is unsettled – Restructuring is needed
The IAPP recently reported that an estimated 500,000 organizations have registered data protection officers across Europe. In sharing this research, we noted that the IAPP’s latest salary survey found that a typical DPO in the EU makes less than their peer in the U.S. and significantly less than a typical chief privacy officer, a title far more common in the U.S.
We raised the question: Has a gap emerged between the roles and responsibilities of U.S. and EU privacy officers? While we did not pose this as a question to our GDPR experts, they independently raised the structure of DPO roles as a top GDPR challenge. These practitioners said that many DPOs are not involved in decision-making and noted a lack of clarity regarding the role. Some companies view DPOs as company-facing, others as regulatory-facing, others as individual-facing and some as a combination of all three. Many DPOs are simply wearing new hats. Since the GDPR requires that the DPO "shall directly report to the highest management level," the role will likely need restructuring in the year to come.
New processor liability slowed deals – Insurance options would help
Article 28 of the GDPR placed new responsibilities on data processors, mandated the use of data processing contracts, and outlined the specific requirements to be included in contracts with processors. The additional liability the GDPR created for processors often made contract negotiations lengthier and more difficult. Practitioners said additional insurance options, caps and indemnities are needed to make this process smoother and help processors guard against unforeseen risk.
One-stop shop did not always translate in practice – Wait and see for now
Our GDPR panel noted that language barriers made the one-stop shop approach difficult to navigate at times with detailed guidance from some data protection authorities published only in local languages. This made it harder for companies to identify critical guidance in markets they are serving but are not the location of their main establishment. It also made it more challenging to share such guidance across a global company. To date, companies and industry associations have simply translated documents as needed. Practitioners also noted that some DPAs have continued to liaise directly with establishments in their jurisdiction even when not the organization’s lead authority.
Our GDPR panel said the companies with which they are familiar had continued to engage with those DPAs since they wanted to be helpful and, to date, the inquires had been simple ones. If such inquiries become more complicated or enforcement-focused in year two, companies might seek to engage primarily through their lead authority.
Applicability unsettled – Awaiting additional guidance
Some organizations remain unclear on the GDPR’s territorial applicability, even after reviewing the draft guidelines published by the European Data Protection Board on the law’s territorial scope. Our GDPR panel said some companies still do not know if the GDPR applies to them. Organizations are also confused about how territorial applicability affects the need for or use of data transfer mechanisms. Practitioners hope that the additional EDPB guidance planned for 2019 on this topic will provide greater clarity.
The hits
Registers of processing forced a cleanup
Our GDPR panel termed Article 30, which requires controllers to maintain a record of processing activities, the “unsung hero” of the GDPR for forcing companies to clean up their data and create a structure around it. To be fair, they also dubbed it a challenge, noting that there is limited granularity in the law regarding the level of detail required. No matter how detailed a company’s record-keeping might be, they could always go one level deeper. Overall, while mapping processing operations was difficult for many organizations, practitioners viewed it as a useful exercise that helped companies understand and organize their data processing activities.
Privacy risk elevated in importance for companies
Practitioners greatly appreciated the GDPR’s role in elevating data protection among companies’ priorities and helping organizations internalize privacy risk. Our panel commented that Article 35’s data protection impact assessments had been embraced globally. While they welcomed this development, they did note a disparity between companies in the number of DPIAs conducted and the breadth of their coverage. Despite this disparity, they felt that DPIAs had helped drive privacy through an organization to the engineering level, pushing companies to “open the hood” and embed data protection principles into products and services. Practitioners also commented that the GDPR elevated the role of privacy professionals within organizations and, even where a CPO already existed, increased their visibility and effectiveness.
Individual awareness of privacy rights skyrocketed
Perhaps most importantly, the GDPR succeeded in raising individuals’ and society’s awareness of data protection rights. Many countries around the world now look to Europe and the GDPR as a model approach to data protection. Our GDPR panel welcomed that while noting that, in some instances, individuals or organizations have weaponized the rights the GDPR created. Overall, practitioners welcomed individuals’ increased engagement with companies and regulators as evidence that individuals today better understand their data protection rights and how to exercise them.
The year to come
Alignment with other regulations needed – The NIST Privacy Framework may help
Looking forward, our group of experts highlighted the continual work the GDPR requires. Annual reassessments are a must to make sure GDPR requirements are embedded in changing processes and new product development. On top of such year-on-year maintenance, companies must now align their new GDPR-compliance processes with those required by other legislation, just passed or on the horizon, domestic or foreign. EU court cases too could upend the status quo.
This changing landscape is what the group is watching most closely. They highlighted the need for greater compatibility between laws, but also for privacy programs that are less tied to specific legislation. Practitioners are looking to NIST’s developing Privacy Framework as one potential solution to the constantly evolving legal landscape. Its focus on privacy risk and the controls that organizations can adapt to manage that risk could help organizations “future proof” their data processing operations and better prepare for the increasingly complicated legal landscape.
Photo by Alexander Muzenhardt on Unsplash