Co-authored by Rachael Reinis
It's been three years since the General Data Protection Regulation (GDPR) became effective; how time flies! Since May 28, 2018, data privacy boldly stepped to the forefront of organizational priorities and in so doing elevated strategic conversations at almost every consumer-facing organization across the globe. For some, it became simply another element of their compliance strategy. For others, a confusing and frustrating requirement to implement. For consumers, it was a barrage of “updated” privacy notices and cookie banners on almost every website visited (just curious, did you actually read any of them?). Well, we have the GDPR to thank for all of these outcomes. What’s clear: organizations now regard data privacy as a strategic priority with far-reaching impacts.
The GDPR is composed of 99 articles and 173 articles (you probably skipped those, most people do but they provide some much needed context). In the U.S. we are accustomed to using control frameworks, like the National Institute of Standards and Technology (NIST) or the Trust Services Categories used for System and Organization Controls (SOC) 2 examinations, that provide a level of assurance regarding compliance and focus on specific controls objectives and criteria. In contrast, the GDPR is based mostly upon principles. GDPR’s principles—lawfulness, fairness, transparency, purpose limitations, data minimization, accuracy, storage limitations, integrity, confidentiality and accountability—caused confusion for those who simply wanted clear direction as to whether multifactor authentication is required or guidance for how long log files must be retained. Now, organizations are challenged to evaluate their "processing" activities against the potential negative impacts to the individuals whose personal data they are processing. Add to that actually having to determine and map what personal data is present, where it’s stored, who it’s shared with and where it came from. Oh—and don’t forget the requirement to delete the data at the end of the retention period!
Last summer, the European Commission released an assessment evaluating the success of the GDPR after year two. Paramount among the achievements is the GDPR’s position as a well-known standard across the world for data privacy. The regulation stimulated new as well as improved data privacy and data protection laws across the globe. In the U.S. alone, there were only two state privacy bills introduced in 2018, year one of GDPR enforcement. In 2021, there are more than 27, according to the International Association of Privacy Professionals. The GDPR should also be credited with revitalizing the fair information practice principle of individual rights. Early privacy frameworks established “data subject access” or “individual participation” as one of the four categories of privacy principles, but it is difficult to speculate if organizations would have accepted and executed such a request without the “pressure” of the GDPR and other emerging privacy laws.
Highly visible, flashy headlines sweep the front page (i.e., British Airways fined $26 million by the ICO, Google fined $55 million by the French CNIL), but instead, enforcement of the GDPR should be seen as the mechanism holding organizations accountable for sound privacy practices. While total fines for noncompliance doubled between January 2020 and 2021, the Commission highlighted a need for continued improvement through their assessment on the regulation’s effectiveness. One specific request was the need for “more practical advice [and] in particular more concrete examples” from the European Data Protection Board (EDPB). The human, technical and financial resources needed to effectively enforce the regulation are a significant hurdle that U.S. state privacy bills also struggle with.
Reflecting on all that the GDPR has brought over the last three years, it is quite clear that privacy is here to stay. If you were playing the wait-and-see game or simply sticking your toe in to test the water… now’s the time to jump in the data privacy pool!
It’s time we accept and embrace our role and responsibility as personal data custodians and build data privacy programs around the principles set forth in the GDPR. Organizations need to assess and remediate their identified gaps, build a sound data privacy program and continue to monitor it. If your organization needs help with any aspect of making data privacy a high-functioning, lawful, fair and transparent part of your organization, Baker Tilly is here to help.
Happy birthday, GDPR!