The EU’s General Data Protection Regulation took effect three years ago today, elevating awareness of privacy and data protection from boardrooms to living rooms and setting a standard for countries and jurisdictions around the world.

“Broadly, it’s been really good. It’s been good for the privacy profession, it’s been good for individuals who are at the heart of the GDPR, it’s driven an acceleration of privacy program maturity and privacy technology development, and for privacy professionals it’s been an amazing opportunity,” said BNY Mellon Global Chief Privacy Officer Kirsten Mycroft, CIPP/E, CIPM.

The IAPP released a “GDPR at Three” infographic showing 47% of companies self-report as fully GDPR compliant while more than 630 enforcement actions have been taken to date, totaling 283 million euros in fines. Among the largest fines over the past year were the $57 million fine France's data protection authority, the Commission nationale de l'informatique et des libertés, issued against Google and the $41 million fine Hamburg, Germany's DPA, the Commissioner for Data Protection and Freedom of Information, issued against clothing retailer H&M.

The GDPR’s enforcement provisions enabling fines up to 4% of annual global turnover for violations “got everybody’s attention. Such penalties would definitely get a board's attention,” Northrop Grumman Corporation Corporate Privacy Executive John Kropf, CIPP/E, CIPP/G, CIPP/US, said, adding the GDPR was the “first comprehensive privacy law that had real teeth in it,” highlighting for companies “the importance of privacy in the global legal landscape.”

Under the GDPR, individuals and businesses are able to rely on the same rights and data protection standards throughout the European Union, IBM’s Chief Privacy Officer Christina Montgomery said. For a company like IBM, that means the ability to rely on a single privacy framework for compliance across Member States.

“Additionally, the GDPR and its accountability principle has led to more efficient compliance processes and data-driven business models that are more respectful of data subjects rights and freedoms,” she said. “To that extent, the GDPR is certainly on its way to achieving some of its original goals.”

Continuing hurdles

Three years into the regulation privacy professionals say a lack of harmonization among EU member states, as well as continuing new and updated guidance, is an ongoing struggle.

“One of the underlying reasons for establishing the GDPR was to allow companies with multiple footholds across the EU to interact with just a single data protection authority, instead of 27,” Montgomery said. “But harmonization of GDPR rules and their sometimes diverging interpretations remain a challenge for companies, as member states are still able to develop their own rules, for example on sensitive data such as health data. DPAs issue guidance on several topics such as cookies, mandatory risk assessments or the use of employee health data to return safely to the workplace.”

While the GDPR was “billed by some as the silver bullet to fix the patchwork of privacy laws across Europe,” Mycroft said supervisory authorities differ in their interpretations of the regulation and the interplay with other local laws present challenges.

“It would be really good to achieve a more harmonized interpretation that reflects current and evolving business and technology practices. For businesses operating across multiple jurisdictions, it’s not sustainable to take a country-by-country compliance approach,” she said.

While GDPR enforcement certainly caught attention and led some companies to quick compliance, it also caused some to stray away from opportunities in Europe, said Baker McKenzie Partner Lothar Determann, adding, “There’s a lot of stuff that’s just not getting done in Europe because people are afraid of the GDPR.” The regulation's “broad” definition of personal data breach and 72-hour notification deadline is difficult for some companies, he said, resulting in “unreasonable time pressure” and impact on jurisdictions with varying standards.

“When you have a breach, you don’t know immediately what’s going on; you don’t know if the hackers have data, and it takes a while to figure this out. If you only have 72 hours to decide whether to make a notification or not, then either many companies blow the deadline or they notify very early,” he said. “Data protection authorities in Europe have been complaining about that, that they get too many notifications where it’s not really necessary.”

Worldwide impact

As the first comprehensive privacy law, the GDPR has inspired legislation around the world, from Brazil’s General Law for the Protection of Personal Data to China’s proposed Personal Data Protection Law and India’s proposed Personal Data Protection Bill, to name a few. In the U.S., both California and Virginia approved legislation drawing inspiration from the GDPR, while other states like Washington continue to work on proposals.

In India, J. Sagar Associates Partner Sajai Singh said the GDPR served as a template for the proposed PDPB, the final draft of which is expected to be tabled before Parliament soon. India is looking to implement an even broader scope, he said, including a definition of sensitive personal data requiring compliance even if no data is collected in India but is processed there.

“Strict data privacy legislation is the norm today. Country after country is adopting privacy legislation that is equal to or more strict than the GDPR. Being the first, the GDPR has certainly provided guidance and the way forward to nations across the world,” Singh said.

Sodexo Group’s Group Data Protection Officer Anne-Cécile Colas, CIPP/E, CIPM, said the food services and facilities management company implemented a comprehensive data protection program based on GDPR principles in all the regions it operates, including the U.S. and Asia-Pacific. “It’s now a no-brainer” for companies around the globe to do business while complying with the GDPR’s principles, she said.

“We’ve seen that the GDPR key principles of transparency, data retention, security, can be applied everywhere,” she said. “There has been a major shift from 2018, an alignment with the fact that handling personal data transparently and in a secure manner is an absolute necessity.”

Elevating the profile of privacy

For privacy professionals, Mycroft said the GDPR has been a “hugely enriching opportunity,” expanding privacy opportunities and career paths and roles while also creating a stronger and more diverse pool of privacy talent. At BNY Mellon, Mycroft said it has enabled her to strengthen and further mature the company’s enterprise privacy program. More broadly, across all industries, the GDPR has “served as a catalyst to get privacy on — or further up — the executive agenda.”

“It’s driven an investment in privacy programs that I don’t think we would have seen otherwise. It’s made it easier for us to stick to higher standards,” she said. “If you speak to privacy professionals who have been around for a long time (pre-GDPR), they may recall being told things like ‘don’t over-engineer this; do what is needed to get us over the line.’ Nowadays, many privacy professionals are being asked ‘Shouldn’t we adopt this across the enterprise? Shouldn’t this be a de-facto standard?’ I don’t think you would have heard that language five or 10 years ago.”

Mycroft said the GDPR has elevated the profile of data privacy to a “C-Suite priority” within organizations and accelerated the maturity of many privacy programs from taking a “tick-box” compliance approach to creating a culture of privacy by design and accountability. With the GDPR’s enforcement provisions, Mycroft said organizations’ willingness to comply with the regulation wasn’t surprising. But how quickly they built privacy into their products and services globally, and how consumers became more knowledgeable was.

“People increasingly see it as an enabler of consumer trust. It’s an enabler of innovation,” she said. “There’s a groundswell and an awareness of the topic of privacy that we see now versus three years ago. It’s among consumers, our colleagues, our family and friends. It’s even been a topic of conversation around the dinner table.”

At IBM, Montgomery said the company chose early on to look at the GDPR through a broader lens than simply legal compliance. Investments in technology combined with centralized governance and enterprise-wide integration are transforming the company’s Chief Privacy Office from reactive to proactive leadership, she said.

“Through our integrated approach to GDPR readiness, our Chief Privacy Office team has evolved from a pure legal function and is now embedded into the business, hand-in-hand with our chief data office, our security business unit, our policy team, and our AI Ethics Board, enabling IBM to further differentiate ourselves across the dimensions of both privacy and tech ethics,” she said.

Looking ahead

While the GDPR has led the way globally as a comprehensive data protection framework, Kropf said an area of improvement would be better syncing its approach with existing principles of international law.

“In the last three years there’s been all of this uncertainty with the "Schrems I" and "Schrems II" cases and the adequacy process is less than transparent. The process of determining when a country meets the EU standard is complicated and I think the regulation could be strengthened by looking to existing principles of other international commerce where you’ve got cross-border cooperation,” he said. “For example tax, customs, airlines, telecommunications, they all work together across borders and they all incorporate principles of private international law that I think the GDPR could look to.” 

As they continue to work through implementation of the GDPR, organizations are also closely watching the EU’s upcoming ePrivacy Regulation, which will replace the ePrivacy Directive in creating rules for electronic communications, and proposals for the regulation of artificial intelligence. As these proposals are considered, privacy professionals say it's important they align with the GDPR.

The GDPR’s principles, including accountability, transparency and fairness, can serve as a blueprint for upcoming regulations, Mycroft said, with the goal of creating sensible and pragmatic approaches that safeguard individuals. Montgomery added upcoming regulations should “strive for strong alignment with GDPR rules” to “avoid a fragmentation of data governance rules within the EU.”  

“The ePrivacy Regulation should have a targeted scope and broader legal grounds for processing, as well as a mechanism to ensure closer alignment with GDPR rules. This will help reduce administrative burdens for companies, while increasing transparency and protecting the rights of data subjects in all EU Member States,” Montgomery said. “The GDPR includes many principles, such as a risk-based approach, transparency, fairness and accountability, which are also relevant for any future AI regulation.”

Photo by Luke Watkinson on Unsplash