Two Years After GDPR: Where We Stand, Where We’re Going

Data Privacy

On May 25, 2018, GDPR went into effect, establishing the first solid floor for comprehensive privacy protection in the EU.

The new regulation created a single set of data protection rules for consistent compliance all across Europe. Anyone who does business in Europe falls under GDPR’s purview, as well as anyone who knowingly processes the data of European citizens.

Advantages and Challenges

For the past two years, GDPR has forced organizations within (and outside of) Europe to completely rethink how they dealt with data. Both privacy-aware businesses and those with their heads in the sand had to wake up and pay attention to how they collected, shared, used, and disposed of valuable data.

The new spotlight on privacy affected budgets, roles, and communications. In response to GDPR, many organizations hired Chief Privacy Officers and Data Protection Officers for the first time to meet reporting standards, ensure regulatory compliance, and operationalize the handling of data. Companies that collected or controlled data (“controllers”) had to have active conversations and draw up contracts with the companies that processed their data (“processors”).

The new regulations also advanced public awareness of individuals’ data privacy rights, encouraging data subjects to hold organizations accountable for properly collecting and managing their information.

Trouble is, the burden falls on the “data subject” or end-user to take control of their data into their own hands. GDPR relies heavily upon consent. And while GDPR allows for the right to withdraw consent, that may not be enough to give data subjects—the people who are in need of the most protection—any real, meaningful control over the processing of their data.

The fact that GDPR calls for privacy self-management is a hotly debated topic. As Professor Daniel Solove says, “consent legitimizes nearly any form of collection, use, or disclosure of personal data.” So, if consent isn’t well understood and those additional rights aren’t properly handled, data subjects might not be much better off than they were in a pre-GDPR regime.

A Cross-Stakeholder Approach

Successful GDPR compliance requires a cross-stakeholder approach that involves communication and cooperation among data privacy, security, and governance teams—in addition to legal, IT, marketing, and any division that has a hand in processing personal data.

Many businesses have set up fully operationalized programs to ensure a single truth behind their data so that it’s accurate, high-quality, secure, and has actionable procedures in place in the event of a data breach.

One key measure of success is the ability to respond in a timely fashion to data subject requests and avoid piquing the interest of supervisory authorities. To do this, organizations need a clear view of the data they process, how it maps out, a way to fulfill those requests, and somebody who is in charge of decision-making when it comes to data.

While complaints and inquiries are inevitable, organizations that can demonstrate how they have abided by the intent of the law will be in a better position with both enforcement authorities and the public’s perception.

A Far-Reaching Influence

GDPR has turned out to be a trailblazer, spearheading privacy and data protection laws beyond the EU.

Brazil, for instance, took a page straight out of GDPR’s book by formulating its own omnibus data protection regulation (LGPD) and even leveraging similar provisions—such as “personal data” terminology, extraterritoriality requirements, and several rights that data subjects can act upon.

California’s Consumer Privacy Act (CCPA) took a slightly different approach, but it also provides “consumer rights” for California citizens. If the new ballot initiative for the California Privacy Rights Act, or CPRA, goes into effect, then the California law will exceed GDPR in terms of requirements, obligations, and non-compliance penalties for entities processing the data of California consumers.

Looking forward, the EU’s next phase for privacy regulations is also in the works. While there has been a delay due to the COVID-19 pandemic, the European Commission (EC) is set to undertake its review and report out on issues surrounding GDPR’s implementation. Experts have already started pointing out a number of drafting flaws for the EC to take into account.

On the American front, there are a number of state privacy bills and well-meaning discussions about federal privacy legislation that are gaining traction. On a global scale, we’ll likely see more and more countries come out of the woodwork when it comes to data protection. India, China, Australia, Japan, South Africa, and Turkey are a few nations that have laws either currently on the books—or ready to go into effect.

And while no one has a crystal ball, ideally there would be a multi-stakeholder effort to create an omnibus privacy regulation across the globe to process data on a more harmonized, consistent, and protected basis.