Monday 25 May marked the second anniversary of the application of Europe's strengthened data protection rules, the General Data Protection Regulation, widely known as the GDPR. But how far have we come since implementation and is the regulation really working as it should?
In this article we will talk about how GDPR has evolved over these past two years. We will discuss whether companies in general still rate GDPR compliance as a key issue, and if they feel more secure in their understanding of the regulation since the implementation.
As part of this piece though, rather than only sharing our own A&M thoughts (for which we have many), we thought it would be really insightful to enlist the help or some industry experts to get their thoughts on the GDPR anniversary too. What follows is a crowdsourced article full of expert insights from across the industry. I do hope it proves to be interesting reading....
Kate Vernon, Partner at Quinn Emanuel Urquhart & Sullivan LLP, kicked off our piece by talking about the complexities of the regulation and stressed that her sense was that there are still just as many questions as there are answers in how to manage GDPR risks in the context of multi-jurisdictional litigation. Kate explained, "the international transfer issue is one of the biggest challenges I feel for businesses operating in the EU and those based outside the EU that nevertheless have business in and with the EU. The complexities of managing this are real and in cross-border litigation we need to work carefully to think through the implications for the time and cost of such litigation."
The international element of data transfers has always been a topical issue as Kate rightly sets out. With Brexit fast approaching this is going to become hugely important from a UK perspective as we look to get some sort of adequacy finding...or not!
Simon Steggles, Owner of Disklabs, stated that, complexities aside, the regulation hasn't yet gained enough traction to make a real impact. He explained, "there hasn't been enough in the media about those who have breached this regulation and the consequences of it." Simon thought that once a few more high-profile companies were hit with huge fines, "boards will take it more seriously."
Jonathan Maas, Managing Director of The Mass Consulting Group also saw some holes in the way the legislation was being regulated and enforced. He explained that it was interesting to see that the ICO is currently being audited following claims it is unfit for purpose (UK Government orders major audit of the ICO's operations (Decision Marketing). He said, "The Government has parachuted in a global management consultancy to run a major audit of the Information Commissioner's Office, following claims that the regulator does not have the clout to take on the tech giants and is not fit for purpose."
Certainly, Simon and Jonathan both raise interesting points looking at the enforcement of the GDPR and specifically the role of the ICO. It will be interesting to see how this develops over time, as I'm sure that the ICO and other regulators around Europe want to ensure that the GDPR is adhered to in practice and does not become a tick-box exercise.
As we always say; regulation is only as good as the regulator.
Ian De Freitas, Partner at Farrer & Co noted that, "two years into GDPR it is the area of enforcement that is coming under pressure." He went on to say that, as serious fines begin to be levied by regulators, so too will there be push-back from organisations about whether the process and levels of sanction are reasonable. "Like most toddlers" Ian said, "GDPR is still finding its feet in this area; the "terrible twos" look like they might be interesting."
Ian's comment made me chuckle as the "terrible twos" is a very interesting analogy when it comes to looking at GDPR. We had the original upheaval as firms prepared for its introduction and then the arrival, followed by some catching-up for those who did not quite make the deadline two years ago.
However, two years is a long time and it's important that firms continue to focus on ensuring compliance and best practice otherwise they could become embarrassed if there is a data loss or breach.... a bit like when a two-year-old has a meltdown in the middle of a supermarket!
Bryony Long, Partner and co-head of Lewis Silkin's Data & Privacy practice group was more positive and commented that: "Since the implementation of the GDPR, a number of business have been making good strides to achieve a reasonable level of compliance although in the main there is still a lot of work to be done."
Hazel Grant, Head of Privacy and Information Law at Fieldfisher, and a London partner agreed that clients are starting to recognise the importance of the legislation, "we have come a long way in two years; we are seeing clients recognising many new compliance activities as normal (e.g. creating and updating records of processing, DPIAs, LIAs, having a DPO and the like)." Hazel went on to say that whilst GDPR is still seen as a key risk, the status it had in 2018 has fallen a little. She explains, "so much has happened in the last year, let alone the last few months, to knock GDPR off the top spot. Our clients are still concerned with compliance, but I expect a number of businesses will be waiting to see when the really big fines happen. A number of fines near the 2% or 4% limit would elevate GDPR again to near the top, if not the top."
Bryony Long also warned that, "while some businesses might have the right paperwork in place demonstrating a good level of technical compliance, their operational compliance is still falling significant short of the mark. This lack of operational compliance is due to a number of reasons including overly complex processes, lengthy documents and general lack of training and awareness. However, one of the main contributing factors to this poor operational compliance is the lack of good data protection governance. For this reason alone, data protection compliance should remain at the top of any boardroom agenda and properly governed."
Bryony raises a very interesting point in that the GDPR was designed to be a living and breathing concept, rather than a piece of paper that firms comply with. In my opinion, firms need to operationalise GDPR into what they do now and what they plan to do in the future. It needs to filter into all aspects of governance and firms should look at how they can derive competitive advantage from it. I definitely agree that it should remain on the boardroom agenda for some time to come – as is illustrated by Hazel's comments on GDPR and what will happen if big fines become a recurring reality.
Andrew Moir, Partner and Global Head of Cyber and Data Security at Herbert Smith Freehills, focused on the enforcement side of things in his response to the GDPR anniversary. He said, "it's clear that the GDPR has shifted the approach to data protection significantly in the two years since its introduction. A lot of what matters though is how it is enforced. While there's been an array of decisions coming out of the ICO and other regulators, it remains the case that a lot of the GDPR is substantially untested, and questions remain over how it should be interpreted and applied."
Andrew concluded by saying that he thinks this will change as we get more decisions coming out of the regulators and – importantly – some judicial decisions from the Courts, but until then some uncertainty will inevitably remain.
Andrew raises some interesting points on the untested and interpretation aspects of GDPR, and, as time passes, we are sure to see more clarity. Both courts and regulators will continue to take action and push the GDPR agenda down to firms – and on top of this there will be privacy evangelists who continue to take action to drive the law forward and force it to be considered by the courts.
GDPR isn't going away anytime soon. And frankly, it's only going to become more relevant in the current environment with data flowing more widely due to the current pandemic.
With more people working from home, more business being performed online, rather than in person and indeed more data being shared as Governments relax (and in fact encourage) firms to share data to ensure that public services are maintained, getting GDPR right is going to be more important than ever.
At some point, the regulatory and legal lens will come to focus on these changes. This means firms need to ensure that privacy and security concerns are adequately implemented and managed as they adapt to the new way of working as well as how they face future challenges. This is undoubtedly something that everyone will need to keep an eye on.
As Bryony Long rightly summarises; "while we may not have seen the flurry of eye watering fines, they are on the horizon now regulators have their houses in order and are beginning to work more closely together. The risk of class action is also on the rise making good GDPR compliance essential. I would fear for any organisation who thinks the GDPR tidal wave has passed.
Originally published 8 June, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
