It’s been one year since the General Data Protection Regulation was implemented, and it’s shaken up the way many companies approach data privacy and third-party cybersecurity. We asked Dov Goldman, Panorays’ director of risk and compliance, to share his insights about this sweeping regulation.
What have been some of the biggest changes on the privacy and security front since GDPR went into effect last year?
Besides the complaints filed against the obvious suspects like Google, Facebook and Instagram, we’ve definitely seen a number of changes to how companies ensure data privacy. Many firms have implemented consents for pop-ups, updated privacy policies and more tools enabling user control.
That being said, these enhancements have primarily been limited surface treatments, and much less of the extensive "privacy by design" envisioned by the regulators.
What has been the biggest operational impact for covered entities? In what areas are organizations struggling the most?
Many companies have gone through the first phase of assessing their GDPR compliance; they've undergone a gap assessment. Where needed, some have performed a DPIA or "Data Protection Impact Assessment,” a more detailed review of the technical and organizational capabilities to ensure privacy for customers or employees. These efforts have led firms to update privacy policies and implement tools to enable user control over their personal data.
Few companies, however, have dealt effectively with some of the thorniest issues, including the accountability demanded by the regulation (articles 28 and 30) with regard to third-party data processors and the requirement (article 33) for notification to the supervisory authority within 72 hours of a breach being discovered.
What is your perspective on how strictly GDPR requirements have been enforced till now? Has enforcement been as strict as expected?
There have been relatively few enforcement actions and large fines to date. The French data regulator, CNIL, fined Google €50 million for a lack of transparency and consent in advertising personalization. The rest of the fines were €400,000 or less, with most significantly lower.
Why so little activity? It's most likely because GDPR enforcement is fundamentally local. Each of the EU Member State data regulators is responsible for oversight and enforcement actions, and these organizations have generally been understaffed. Relatively speaking, only the UK ICO (Information Commissioner's Office), with its 500 employees, has a notable history of enforcing a privacy regulation, the UK Data Protection Act of 1998.
If this trend continues, it will mean that companies won’t work towards GDPR compliance, because they will believe that it won’t be enforced. Given the sweeping privacy trends and concerns, consumers, and hence regulators, won’t allow this to happen. The regulators are starting to recognize this gap. In fact, we can already see staff at EU Member State Data Protection Commissions growing. Before hiring, we predict the regulators considering further enforcement controls to ensure that GDPR is effectively followed.
What role has GDPR played in spurring other consumer privacy laws, like California's CCPA, for instance?
GDPR has certainly increased consumer awareness of the need for digital privacy, but the text of CCPA itself makes clear that concerns over the sharing of consumer data without consent were the driving force behind the creation of this new US regulation. The single biggest factor may well have been the Facebook-Cambridge Analytica scandal, in which millions of Facebook profiles were harvested for political advertising.
However, it’s impossible not to think of this law as following on the heels of GDPR. The precedent of GDPR demonstrates that such regulations, regardless of whether they will increase security and privacy in practice, have made lawmakers and consumers worldwide understand that such standards can be set. Furthermore, it is certainly likely that similar privacy regulations will be adopted by other states. We saw this in the past when California was the first state to publish its breach notification law and most states pursued with a similar law of their own.