To plenty of fanfare, the EU’s General Data Protection Regulation came into play on May 24, 2018, with the ultimate objective of standardizing and simplifying data protection rules among the EU’s Member States and allowing individuals to decide how their personal data is used.
While there is still plenty of work to be done, nations across the region have already set up solid legal frameworks that will strengthen data protection at a local level and businesses have made GDPR compliance a bigger part of their corporate culture. Additionally, individuals have become more adept at recognizing their rights under this new EU regulation.
Specifically speaking, what has marked this first year (and a half) of Europe’s (and the world’s) experience with GDPR? Are there any success stories or hurdles that remain?
Growing Opportunities for Data Protection Officers
One of the main (and very obvious) changes following the implementation of GDPR has been the growing demand for Data Protection Officers (DPOs) within organizations.
The International Association of Privacy Professionals (IAPP) estimates that European public and private companies hired approximately 500,000 DPOs during GDPR’s first year.
Furthermore, a September 2019 study by law firm McDermott Will & Emery showed that 90 percent of the survey’s participants (1,263 in total) put in place a DPO for their organization, while 54 percent of non-EU businesses surveyed appointed an EU representative to deal with GDPR.
While most of the study’s participants “appointed an internal individual rather than an external individual,” these figures confirm the overall importance of having staff members who have internalized the law and are equipped via professional certifications (for example EXIN or IAPP) to ensure that their organizations comply with GDPR’s many stipulations.
Hence, it has become paramount to join a global organization such as IAPP to keep close track of developments in the data protection world, exchange ideas and practical solutions with likeminded professionals, and update one’s knowledge on GDPR and other privacy issues via online courses, certifications, seminars and other educational opportunities.
IAPP summarizes the DPO’s importance best: “The DPO role is quickly advancing — from data protection managers to regional and even global DPOs — while the opportunities for growth are immense. Expect organizations to look for their superfood even more ferociously as the need for data protection health intensifies.”
Data Breaches Pose a Significant Challenge
According to the GDPR, companies have 72 hours—what amounts to a miniscule timeframe—to report a potential data or security breach. Hence, organizations must be fully prepared to identify a threat to individuals’ data and notify the authorities if necessary.
Case in point, McDermott Will & Emery’s 2019 survey shows that “only 18% of respondents say they are confident they have the ability to provide notification to the DPA within 72 hours of becoming aware of the event,” while 25% define “their readiness and confidence to respond to a GDPR data breach [as] very low.”
This has also presented a problem for the state institutions receiving these notifications.
During GDPR’s first year, more than 89,000 data breaches and 144,000 queries and complaints were reported with only 63 percent of them having been resolved.
Tim Reilly, COO of Zettaset, writes in Information Week that the number of cases to be investigated continues to amass with a myriad of organizations “still waiting to hear from regulators if any action will be taken against them at all, and it’s been months.”
Several reasons might explain this delay or relatively low level of enforcement.
According to Baker McKenzie’s Harry Small and Joanna E. De Fonseka, data protection authorities (DPAs) “are likely to have needed to expand their existing resources and to equip themselves for new cooperation mechanisms such as the one-stop-shop.”
Furthermore, DPAs, the authors explain, could “also have chosen to allow organisations more time to complete or improve their GDPR compliance programmes and therefore opted for a relatively light-touch approach to enforcement in the past year.”
Finally, DPAs might still be focusing on “historic infringements which occurred pre-GDPR, and therefore needed to be dealt with under the previous legislation.”
Heightened Global Awareness of Data Privacy
One positive aspect to the introduction of GDPR in Europe has been how it has raised awareness to data privacy issues at a global level.
Many non-EU members, for example, have moved to reform their data privacy regimes to fall in line with GDPR.
So far, the EU has deemed Andorra, Argentina, Canada (with exceptions), Faroe Islands, Guernsey, Iceland, Israel, Isle of Man, Japan, Jersey, Liechtenstein, New Zealand, Norway, Switzerland and Uruguay as offering “an adequate level of data protection.”
The same has happened at both a corporate and individual level.
According to IAPP’s Caitlin Fennessy, during GDPR’s first year, “practitioners greatly appreciated the GDPR’s role in elevating data protection among companies’ priorities and helping organizations internalize privacy risk.”
Furthermore, GDPR has encouraged individuals to take greater stock in their data protection rights.
In many cases, Fennessy explains, “Individuals or organizations have weaponized the rights the GDPR created,” while their “increased engagement with companies and regulators [is] evidence that individuals today better understand their data protection rights and how to exercise them.”
Overall, as explained by Eduardo Ustaran, a Partner with law firm Hogan Lovells, “the effect of the GDPR has been noticeable, but in a subtle sort of way.”
He did remark, though, that “it would be hugely mistaken to think that the GDPR was just a fad or a failed attempt at helping privacy and data protection survive the 21st century,” considering that “the true effect of the GDPR has yet to be felt as the work to overcome its regulatory challenges has barely begun.”
So let’s see what year two and three have in store for the data protection and privacy world!
EIMF offers a variety of courses and certifications for individuals interested in data privacy and protection. The available courses in January – June 2020 are listed below:
- EXIN Privacy & Data Protection: Foundation & Practitioner Certificate in General Data Protection Regulation
- IAPP Certified Information Privacy Professional/Europe (CIPP/E), Certified Information Privacy Manager (CIPM) and Data Protection Compliance Workshop
- Data Protection Compliance: Strategies and Tactics on How to Best Work with National and EU Data Protection Regulators
- Data Protection Practices for the Human Resources Function
- eLearning: GDPR Staff Awareness
For additional details on these offerings, please feel free to speak with an expert learning and development adviser at EIMF at +357-22274470 or info@eimf.eu