The issue of privacy - and the degree to which an organisation should be responsible for the collection and use of customer data - have been areas of hot debate within the enterprise space over the past 5 years. We now live in a universally pervasive privacy culture, where consumers are increasingly aware of their digital rights, while having every inclination to enforce them. One of the tipping points in this process of global privacy awareness and enforcement was, of course, the General Data Protection Regulation (GDPR) laws, which came into force in the EU exactly one year ago tomorrow.
One year on, GDPR is still the most robust set of laws governing the use of personal data by both public and private organisations in the world. It started somewhat of a privacy revolution, with many major organisations visibly getting their ducks in a row, with a flood of consent-seeking emails hitting consumer inboxes, and basically every data-collecting website on the internet asking for consent to use your data upon landing.
It started a conversation, and fundamentally changed the way organisations from around the world collect, manage, and process personal data, as of course, it doesn't only affect those companies based in the EU.
The state of GDPR compliance now
While GDPR affects any organisation that processes data from EU residents, it also spurred many other countries to enact their own laws, with one of the more notable being the US State of California's Consumer Privacy Act (or CCPA). Providing an additional spotlight to the issue of privacy have been the various gaffes of some major organisations, such as Facebook's Cambridge Analytica scandal and indeed Google's huge GDPR fine.
However, while there is more consumer awareness of privacy issues globally, there are still considerable struggles for a lot of organisations trying, and in many cases failing, to become GDPR compliant as the deadline came and went. Unfortunately, this also doesn't seem to have changed all that much in the year since the regulation was implemented. In some cases, non-compliance doesn't just manifest in the management of data in one or two hard-to-reach systems or in the fine print of a privacy policy, it manifests in complete disregard for the laws themselves.
At a media roundtable event taking place in Gothenburg, Sweden, NTT Security presented research from just before GDPR went into effect, showing that fewer than half of those surveyed in Europe believed that GDPR applied to them. While these figures are sure to have increased since, NTT still says there is still a definite sense of disregard toward the laws.
''On GDPR we're still largely getting two responses,'' says NTT Security VP of Consulting for Europe, Patrick Schraut. ‘'Half of our customers have a perspective on GDPR of 'I just don't want to hear those four letters anymore'. They just want it to go away and don't care for it anymore. The other half never cared for it.''
What are companies still struggling with?
While the compliance challenges associated with GDPR generally vary depending on the nature of an organisation, there are certainly a few common threads among even vastly different types of organisations. In an interview with IDG Connect, Talend senior director of data governance Jean Michel Franco said it is ‘worrying' to see so many firms still non-compliant with GDPR, especially when it comes to responding to requests from customers and employees for their data access rights. A big part of this, Franco says, comes down to the way in which organisations utilise their Data Protection Officers (DPOs), in terms of assigning their responsibilities.
"In many cases just hiring a DPO is not enough, there are masses of data and often thousands of requests which, for one person, is an extremely large task," Franco says. "The DPO is often overwhelmed and bombarded with requests, such is the scale of the task at hand. Firms are moving in the right direction, but they still lack the organisation and resources to meet requests and ensure compliance.
"When an individual asks for their data, providing it to them should be simple, but many firms lack the IT systems to accommodate these types of requests. Firms are not yet ready to handle these types of requests, often lacking the automated systems and organised data that would enable a smooth, quick and simple process."
In this way, employing a DPO is just the first step in achieving GDPR compliance, rather than the final. In actual fact, the DPO doesn't have to be just one person. As CEO of HeleCloud Dob Todorov explains, hiring a DPO - especially for larger organisations - should be a matter of outlining responsibilities and assigning them accordingly amongst a team.
"The DPO is responsible for designing, implementing, managing, and auditing the data protection system, and all underlying activities, including staff training, and external communication with regulators and data subjects," Todorov says.
"This is a demanding set of responsibilities, overwhelming for any one individual. In medium to large organisations, it would be more appropriate to have a DPO team or a multidisciplinary committee that can carry out these duties. Many organisations find it beneficial to split the responsibilities in a way whereby governance, audit, implementation and operation functions complement each other as part of a wider DPO office."
Public organisations and larger enterprises experiencing the most headaches
It's inarguable that all kinds of organisations have had their issues, however, according to Franco, one type of organisation that is particularly struggling with GDPR are those that operate within the public sector, such as the UK's NHS. This is because of the difficulty associated with locating the process for attaining the required data or finding the person responsible for managing it.
Referring specifically to the UK market as an example, Franco says, "The public sector is regularly called out for lagging behind in its digital transformation efforts and a complex web of legacy IT systems is just one factor contributing to the sector's struggle with GDPR. On top of this, organisations like the NHS have enormous quantities of highly sensitive data which - when paired with an outmoded IT structure - makes compliance more challenging."
Beyond the public sector though, Franco says bigger firms could be set to feel the pinch. This, in part, is due to the rise in consumer complaints that are occurring either individually or, crucially, as part of group action lawsuits. As consumers become more and more empowered to exercise their various privacy-related rights, they aren't afraid to take on large corporate entities as a group. We have seen this playing out recently through the considerable spike in reports to the Information Commissioners Office (which have increased by 160%) and class action cases by 45,000 European citizens, driven by three associations including Privacy International.
"Regulators are overwhelmed by the numerous complaints and so big influential firms may find themselves most at risk, since regulators may prioritise those group action cases in which numerous complaints have been brought against a firm - rather than a few individual complaints against a smaller firm," Franco continues.
Misunderstanding risk and obligations
The very concept of GDPR has been a mind-boggling one to grasp for many organisations, who have really struggled to understand what - specifically - is required of them. White & Case Partner Tim Hickman, who is a privacy lawyer and GDPR expert, says there is generally a fundamental misunderstanding of compliance risk when it comes to GDPR.
"Many companies had feared the possibility of the high maximum fines under the GDPR, despite reassurance from EU Data Protection Authorities that the maximum fines were only to be applied as a tool of last resort," Hickman says. "When those fines failed to materialise in the first year after the GDPR came into effect, many companies over-corrected and assumed that there was no real risk of enforcement."
He also says many companies have recognised that ramifications have generally focused on the technology sector, leading many companies in other industries to incorrectly assume that they're not in danger of consequences for non-compliance. He does say, however, that this level of understanding is now improving.
"There are strong indications that companies will develop a better understanding of these issues over time. In particular, many companies are now being forced to grapple with the enhanced rights of individuals under the GDPR," Hickman continues.
"For example, companies are increasingly receiving requests from individuals to exercise their right of access to their personal data. Companies are quickly discovering that locating and disclosing these data within the mandatory 1-month deadline, without inadvertently disclosing other information to which the individual is not entitled, is a difficult task, and requires significant investment in the correct IT measures and staff training."
Hickman also identifies four major common misconceptions that organisations have when it comes to maintaining compliance with the GDPR.
"GDPR only applies to the personal data of EU citizens"
Hickman says this is an error that cuts both ways, as it firstly may cause businesses to wrongly exclude non-EU citizens from their GDPR protections, or alternatively, may cause companies to go to extreme lengths to ensure GDPR compliance for EU citizens employed outside of the EU, where there is no need to do so.
In this way, businesses must ensure that they're completely up to date on the situations where GDPR compliance is relevant.
"Businesses that are not consumer-facing do not need to worry about GDPR compliance"
While consumer-facing organisations may definitely have more headaches when it comes to GDPR, that doesn't mean that the regulation isn't relevant to the B2B sphere. B2B organisations still process the personal data of their employees, website visitors, and of third-party contacts at any businesses with whom they interact.
The latter requirement, especially, can often make for a complex web of compliance obligations that businesses aren't always aware of. Consequently, Hickman says, all companies that fall within the scope of application of the GDPR are subject to its compliance obligations.
"The greatest risk comes from malicious third parties (e.g., hackers) trying to gain unlawful access to data"
This misconception leads organisations to disregard the risk factors presented by the company's own employees. Hickman says staff present risk, firstly, as well-meaning employees may look to find ways around restrictions imposed by IT security teams to improve the way they do their job, such as using online file hosting to subvert disabled USB drives.
Secondly, more disgruntled employees (or former employees) increasingly use data protection as a weapon to attack companies in order to mount employment-related claims.
"All we really need to do is focus on consent"
There is often a misconception that consent is the best way to address GDPR compliance, however, the waters can be muddied due to the difficulty of obtaining valid consent, as Hickman explains.
"In many cases, it is not possible to obtain valid consent, because the standard for consent under the GDPR is very high and requires, among other things, that consent must be "freely given"," he says.
"This means that consent is not a viable option in, for example, most employment relationships. In addition, consent under the GDPR can be withdrawn at any time, making it an unreliable basis for processing personal data."
To exemplify this point, Hickman describes a situation where an organisation obtains consent, but the affected individual later withdraws it. The relevant data is still needed by the company, so it is presented with two options. The first is to respect the withdrawal of consent and give up the required data, or second, keep processing the data and violate the GDPR as a result. Hickman says it is, therefore, best not to rely on consent, except in cases where the company can readily cease processing the affected data in the event of withdrawal of consent, without significant adverse business impact.
Bigger fines just around the corner
Looking at the wider scope of actual punishments and fines doled out as a result of GDPR infractions, consequences have been rather minimal. Research from personal data security platform Digi.me indicates that out of 11,468 total reported data breach cases closed by the ICO, only 29 resulted in monetary penalties, representing a penalty rate of 0.25%. Conversely, there was a huge increase in the privacy reports since the 25th of May 2018 to May 2019, with a total of 37,798 data protection concerns raised. This may indicate an issue with the public and organisations over-reporting to the ICO, but it could also represent somewhat of a grace period offered by European regulators.