GDPR 6 Months on: Repercussions & Challenges
Huw Beverley-Smith and Jonathon Gunn from the London office of Faegre Baker Daniels LLP discuss the impact that GDPR has had on businesses and the ways they have reacted to the new regulation in the first six months after its implementation.
Effectiveness So Far
The run up to the implementation date of the EU General Data Protection Regulation on 25 May 2018 saw a flurry of activity – most visibly in communications with customers; notifying them of changes in privacy policies and seeking their opt-in consent for marketing activities. While many communications were not strictly necessary, they reflected the focus of many businesses on external-facing compliance initiatives, such as their public facing privacy policies and contractual arrangements with vendors.
The key practical challenges for businesses have centered on thoroughly operationalising GDPR and creating a GDPR compliance culture. The GDPR introduces some new and enhanced rights, such as the right to erasure, but equally importantly, it introduces principles which require changes to internal procedures and systems. Technology changes have often been time-consuming and expensive to implement. Creating a GDPR compliance culture has, for many businesses, been equally challenging. For many organisations, the area of focus in the short to medium term is the work required on internal-facing compliance initiatives, such as staff training and policy formulation and integration. While many aspects of GDPR compliance have taken the form of a ‘re-papering’ exercise, the challenges in becoming compliant are generally much deeper.
For many organisations, the area of focus in the short to medium term is the work required on internal-facing compliance initiatives, such as staff training and policy formulation and integration.
Practical challenges faced by businesses
Some of the practical challenges faced by businesses have been in identifying and understanding the scope of the personal data held and processed – including its nature, location, security requirements and, most fundamentally, the business drivers and legal grounds for collecting and processing such data in the first place. While principles of data minimisation and purpose limitation are not new under the GDPR, they were frequently overlooked under previous legislation as businesses collected increasing amounts of personal data and used them in ways in which were not necessarily consistent with the original purpose. Many businesses have not properly addressed these fundamental issues which are frequently coming to light in practice in two key areas: managing data subject rights and responding to data breaches.
For example, the right to erasure applies in a specific set of situations but many organisations do not possess the level of granular detail about their processing operations required to respond accurately or efficiently. Organisations which have made superficial policy changes will lack the deeper understanding of the internal business processes resulting from a detailed data mapping exercise or a thorough analysis of an organisation’s grounds for processing. This often makes responding to such requests much more time-consuming, and in certain cases leads to organisations fulfilling requests by default to save administrative burden. This is far from ideal, particularly where some data categories processed about an individual are likely to be outside the scope of the right to erasure. Moreover, there may be legitimate business reasons for retaining such data. A related practical issue is the lack of uniformity across European jurisdictions on exemptions to and derogations from the rights of individuals to have access to their personal data, and the lack of guidance from regulators on the scope of some of the exemptions.
Organisations which have made superficial policy changes will lack the deeper understanding of the internal business processes resulting from a detailed data mapping exercise or a thorough analysis of an organisation’s grounds for processing.
Another area where the lack of internal awareness becomes apparent is in respect of data breaches. The GDPR defines a data breach extremely broadly. Media attention is often focused on large-scale breaches involving millions of records containing financial and sensitive personal data. However, practically any unauthorised access to personal data (including within an organisation) can amount to a notifiable breach. This reflects the volume of data breaches which regulators are handling – with some European regulators handling between six and twelve breach notifications each day. The GDPR imposes a well-publicised default period of 72 hours during which the appropriate regulatory authority must be notified. This frequently exposes, in real time, knowledge gaps within an organisation relating to the nature and location of the personal data held, security arrangements and internal processes.
Overall impact on businesses
The GDPR is a reflection of the increased importance placed by EU law on personal privacy as a fundamental right, which needs to be taken into account when treating personal data as an essential input in business processes, if not a commodity in itself. That is simply an unavoidable cost of doing business. While increased awareness of such rights has been positive, the notification fatigue suffered by individuals has been less beneficial. This resulted partly from the lack of concrete guidance from regulators sufficiently early in the run up to the implementation date. Similarly for businesses outside the EU, the uncertainties regarding the GDPR’s extra-territorial scope has often resulted in protracted discussions and unnecessary compliance burdens. That said, there is an almost inevitable harmonisation upwards towards EU privacy standards. For example, Japan has harmonised its laws to EU standards, and there are forthcoming changes in the United States – currently the state of California, but potentially at a federal level – to move towards GDPR standards. The key test of the GDPR’s effectiveness and overall credibility will be in enforcement. Six months in, it is still too early to gauge regulatory appetite for the headline fines of up to 4% of global revenue. In the coming months, the results of investigations and enforcement actions will start becoming clear. The internal costs to businesses are more difficult to assess, although they are largely unavoidable.