The passing of the EU General Data Protection Regulation was a watershed moment for the privacy profession. The regulation emerged as the first privacy and data protection law that would have bona fide global impact, pushing the discourse of privacy into the mainstream media and elevating privacy risk to the top spot on board meeting agendas. After years of trying to assert the profession’s importance, this humble discipline was finally emerging from the shadows of cybersecurity and taking its rightful place alongside established compliance domains. It was a privacy professional's "Lady Gaga at the Oscars" moment after all those years screaming for attention in a meat dress.
For many American businesses, the EU's passing of the GDPR largely meant that this nebulous concept of "respecting the privacy rights of EU-based individuals" got real. The New York Times, The Washington Post, and Time magazine all dedicated coverage to this "tough new data law," popularizing and codifying the concept of consumer privacy. Businesses threw money at privacy consultants, lawyers, vendors, IAPP certification holders and more lawyers — really, anyone who knew something, anything, about this four-letter acronym (or who could at least recite Article 30 by heart). The Big Four basically replaced the footer on their PowerPoint sales decks to "BEWARE OF 4% OF GLOBAL TURNOVER!" And it worked. According to the 2018 IAPP-EY Annual Privacy Governance Report, the average company says it will spend a whopping $3 million as a result of the GDPR.
Yet, as impactful as the GDPR was to the prominence of the profession, was May 25, 2018, the privacy equivalent of Y2K? Were the seemingly endless conference calls with outside counsel, midnight meetings with engineering teams, and intense debates about anonymization versus pseudonymization with the business actually worth it in the end? Or was the GDPR nothing more than a sheep in wolf’s clothing?
Here, chief privacy officers share their personal perspectives on the last year.
Expectation versus reality
The anxiety was palpable among the privacy community in the weeks leading up to May 25, 2018. But while everyone expected a massive fine to hit shortly after the deadline or a major investigation announced into the data-handling practices of a big technology company, what happened instead was, well, nothing.
“I didn’t really expect too much,” said IBM Chief Privacy Officer Cristina Cabella, contemplating the doomsday-like focus on May 25 of last year. “I use the same Y2K comparison. There was a lot of talking around the deadline, but I think it was good because the entire ecosystem needed to prepare." There was also a misconception, she said, that the GDPR was all about enforcement and fines. “It’s still important, but the point is that the real change is about the transformation of companies’ approaches to individuals.”
“We didn’t know what to expect,” said Jo Ann Lengua Davaris, global chief privacy officer at Mercer, a management consulting company. “We planned for the worst but didn’t spend our money planning for the worst. We had great foundational processes and expanded upon them.” Having nervous clients was also helpful as it encouraged Davaris to get proper funding and engagement from leadership. “We wanted to please [our clients], which helped us get ready.” In terms of regulatory action, she said she anticipated that regulators would be targeting certain companies. “But the truth was that we didn’t know what regulatory scrutiny would look like.”
Adobe Chief Privacy Officer Alisa Bergman thinks it will take time before we see the full impact of the GDPR. “We’re still witnessing the evolution of enforcement. Complaints need to be translated, investigations and decisions that go to one regulator will be discussed with colleagues and the European Data Protection Board needs to coordinate.” To Bergman, things are happening as expected, and we “are seeing a positive impact on privacy generally.”
No regrets
With the advantage of hindsight, it might be easy for privacy pros to wish they had done something differently with respect to the strategy they chose to implement. But even with regulator guidance, what companies ultimately chose to operationalize in terms of GDPR controls would lack precedence — it was uncharted territory.
“I wouldn’t have changed anything,” Cabella said. But she did acknowledge the need to focus on more automation. “We did some investment in some automation which will prove to be a competitive advantage. But the market is still slow in adoption. We also need to consider our size and ensure everything is scalable to our organization.”
“From a tools perspective, I would’ve liked us to be able to invest in a tool that is a proxy for data mapping,” Davaris offered. “But that would’ve needed a lot of investment and would’ve diverted attention from the GDPR.” She mentions that Mercer will definitely consider a third-party tool in the future but that the investment would address a broad set of needs above and beyond privacy compliance. “There is so much opportunity with a data-mapping tool, from a customer service perspective, a business perspective, a privacy perspective — it would serve needs across a lot of different areas.”
“The GDPR is old wine in new bottles,” Adobe's Bergman quipped. “We’re taking [our program] to another level and galvanizing it; we have ambassadors and evangelists.” And that culture change is something she’s excited about. “We’re getting people thinking about privacy in ways they’ve never done before.”
Much ado about DSARs
A surge in data subject access requests is something most companies subject to the GDPR were likely anticipating, especially given the media’s focus on individual rights. Just how big an increase, however, was a question that privacy offices struggled with.
“We were definitely expecting an increase,” Cabella said of DSARs under the GDPR. “But we actually had more internally from employees.” She said that was foreseeable given IBM’s massive investment in training and awareness, which resulted in more questions and meaningful dialogue. “For us, it was a transformation to more transparency. If your company isn’t relying on transparency, frustrations and tensions will rise.”
Davaris said requests quadrupled at Mercer shortly after May 25 but that her team was capable of handling the increase. However, she did begin observing a similar increase in phishing attempts via DSARs and said validating and verifying DSAR requesters is key. “This cannot be underscored. If you don’t do it right, you might hand over information to the wrong person: a hacker or fraudster.”
For Bergman, the requests increased but then tapered off expectedly. “GDPR was frontline news," she said. "People were curious and pressure testing.”
Everyone’s a critic
What was especially worrisome for companies was not knowing how their GDPR efforts would be received by customers, employees, the media and the general public. Ensuring one’s strategy adequately addressed individual rights, business needs and regulator expectations was a constant balancing act.
To Cabella, the way the GDPR was covered in the media was more often with a focus on the financial consequences of noncompliance. Cabella felt that the narrative should have revolved more around the positive impact of the legislation in encouraging respect of individuals’ interests rather than the suspense of which companies would be fined by regulators. She predicted that “it will take some time in the market before a balance will be reached around individual rights and transparency,” adding that "companies need to build more trust with consumers in order to overcome these misconceptions."
Davaris said Mercer hasn't been on the receiving end of any negative feedback on its efforts to comply with the GDPR. “It was about partnering with our clients and feeling the pain together,” Davaris said. She did point out that engagement letter and statement-of-work negotiations have become more complex as a result of Article 28 requirements, which speak to the specific obligations imposed on data processors who handle personal data on behalf of controllers. “Getting on the same page with respect to what [each party’s] obligations are gets a bit more complicated.”
Drinking the GDPR Kool-Aid
Smart GDPR-compliance strategies engaged employees early on and campaigned for privacy-by-design adoption. They understood that a cultural shift needed to happen.
“It was a transformational journey, a complete change,” Cabella said of the impact the GDPR had on IBM’s company culture. She observed that the company’s employees became more privacy savvy. “Privacy years ago was a very niche expertise, and now it’s the first thing that everyone looks at [in their jobs, across the company.]"
Bergman noted a genuine change in employee attitudes, as well. “They’re excited to be part of privacy by design. People feel ownership and a sense of responsibility.”
The calm before the enforcement storm
With the exception of the 50 million euro CNIL fine against Google, enforcement activity post-May 25 has been lackluster. But Davaris said that doesn't mean nothing's happening.
“I actually don’t think there’s a calm,” Davaris said. “We’re right in the middle — I don’t know if there’s a storm. The storm is potentially everyone getting compliant in terms of what they tell people and living up to their promises.”
“You can’t wait for enforcement,” Cabella advised. “Rather than focusing on [impending] enforcement, the real challenge is staying up to speed with the regulatory challenges.” She’s also heard that data protection authorities want to increase engagement and work constructively with companies.
“I think we’re still seeing the evolution, we’re still getting guidance, things are still changing,” Bergman offered. While she does think that there will be more enforcement, she highlights the need to focus on customer expectations. “We know that consumers are going to make more choices based on privacy. Those shifts are happening.”
Looking forward
As privacy professionals prepare for the onslaught of regulations ahead, the lessons learned from the GDPR will be vital to successful compliance strategies.
“It has been an unprecedented experience,” Cabella said. “The last few years have been amazing in terms of challenges. From great fatigue comes great rewards.”
Davaris echoed that sentiment.
“As complex as everything was, [the GDPR] really stretched our muscles,” she said, adding she sees the last year as preparation for what’s to come. “It gave us and our organizations an opportunity to train for the marathon of what’s ahead of us in terms of the regulatory environment.”
Bergman is optimistic about the future of privacy and sees a net-positive impact, demonstrated by new professional fields like privacy engineering. “The future of privacy is so bright. It’s part of the mainstream culture and that’s exciting. Privacy is here to stay.”
Photo by Josh Calabrese on Unsplash