GDPR Enters Year 2

More than ever, businesses serving European customers rely on proven procedures for collecting, storing, protecting and deleting customer data, according to industry watchers. They say it’s a direct result of General Data Protection Regulation (GDPR) and the hefty penalties it threatens for noncompliance.

“A few years back, it was not unusual for a supplier audit to find some mid-sized companies completely missing any privacy policies, standards and job function. That is no longer the case,” Raef Meeuwisse, the author of Cybersecurity for Beginners, recently told TechRepublic.

“The uptick in privacy regulations and potential fines seems to have worked as a wake-up call for organizations to treat their duties of care for personal information more seriously,” he said.

GDPR rules, which apply to companies that collect and store data about residents of the European Union (EU), give EU citizens unprecedented control over the storage and use of their information. That includes the right to “be forgotten” by a company, which generally requires companies to wipe an individual’s information from its data banks upon request.

Because of these and other tenets, GDPR is considered the most significant initiative on data protection in more than 20 years.

The regulation puts a strong spotlight on privacy issues.

“GDPR has led to massive attention from the most exposed actors,” including the health care, telco, retail, banking, and insurance industries, said Rémi Dusaud, director of data privacy at PwC, in an interview in March.

“Almost all of the organizations that have named a data privacy officer, decided on a centralized approach, and put data privacy governance in place are walking on a continuous improvement path. Data privacy is becoming a natural part of day-to-day business life for them.”

Privacy Improvements by the Numbers

How well GDPR is protecting citizens’ privacy can be measured, in part, by the activity levels of the Data Protection Authorities (DPAs) established in each European country to enforce GDPR rules.

A May 2019 report on the EU Commission’s website, based largely on survey data collected by the European Data Protection Board (EDPB), indicates that GDPR has spurred greater awareness of consumer rights. Citizens have filed more than 144,000 complaints with European DPAs, the most common relating to telemarketing, promotional emails and CCTV/video surveillance, according to the Commission.

In addition, the DPAs have been notified of more than 89,000 data breaches from organizations that store customer data. Part of the GDPR legislation requires organizations to report a data breach within 72 hours of its occurrence or face a fine. Five fines had been issued as of May 2019, according to the European Commission.

The complaints, breaches and fines might seem to indicate that GDPR-affected companies haven’t risen to the privacy demands of the legislation. Yet many organizations that collect and store EU resident data have indeed bulked up their privacy teams and have stepped up to GDPR implementation, according to the International Association of Privacy Professionals (IAPP).

The IAPP estimates that organizations have spent, on average, $1.3 million to date on compliance measures.

Still More Work to be Done

“We expect 50 percent of covered companies are still in the process of GDPR compliance and it will likely go on for another couple of years,” said Mark Schreiber, a partner in the Boston office of international law firm McDermott, Will & Emery, who heads the firm’s global privacy and cybersecurity practice. He spoke at a recent IAPP educational meeting.

Coordinating GDPR compliance across decentralized organizations and the appointment of representatives within the EU are focus areas for many companies, according to Schreiber. He also said companies must determine the proper role of data protection officers as they fine-tune their compliance efforts.

The IAPP anticipates it will cost each organization an additional $1.8 million, on average, to be fully compliant with GDPR rules.

In addition, PwC’s Dusaud said that a number of GDPR-affected companies didn’t launch privacy initiatives due to a lack of budget or because their business type or size guarantees them a low risk of exposure and penalties.

“Therefore, we see that the wave of GDPR is still rolling,” he said. “Remaining compliant over the long term will be the biggest challenge encountered by all companies.”

The Global Privacy Ball is Rolling

GDPR has also ignited a flurry of privacy activity in other countries. There is work afoot both at the federal and state levels in the U.S. to establish stronger privacy policies. The California Consumer Privacy Act of 2018 was ratified in June 2018, and the Washington Privacy Act bill was introduced in January 2019. Colorado has a new privacy law that mandates destroying customer data when it’s no longer needed for a business purpose.

In fact, in a 2018 IAPP survey of 550 members, 76 percent of firms reported that GDPR has motivated them to delete data when it’s no longer required for business reasons, while another 21 percent said they intend to adopt such practices soon.

At the U.S. federal level, the Social Media Privacy and Consumer Rights Act of 2018 continues to be evaluated. In February, expert witnesses testified in a Congressional hearing on data privacy that on its own, the proposed legislation — which mandates that a consumer be notified of a breach of their personal information within 72 hours — doesn’t go far enough.

The panel was divided as to whether federal privacy legislation should preempt state laws. On the one hand, some argued that having 50 separate state laws in an integrated national and global economy would be too complex and costly to administer. Others pointed out that federal legislation tends to be rigid and difficult to change in step with a digital economy that continues to swiftly evolve.

As the U.S. contemplates its next steps on privacy legislation, other countries are jumping on the privacy bandwagon. Brazil approved a new data protection law, Brazil Lei Geral de Proteção de Dados (LGPD), which is heavily based on GDPR. China, India, Japan, South Korea and Thailand are among other nations that have passed new laws, proposed new legislation or are considering changes to existing laws to closer align with GDPR.

Joanie Wexler is a contributing writer and editor with more than 20 years experience covering IT and computer networking technologies.

© 2019 Nutanix, Inc. All rights reserved. For additional legal information, please go here.