Inching toward GDPR’s one year mark: analysis and way forward

Data privacy and protection have seen immense interest and awareness in the last couple of years.  Today, the personal data of consumers, cross border data flows, online transactions and real-time data exchange are just some areas under close scrutiny. Governments across nations have already taken steps and are trying their best to bring in regulations as a response to the chaos around “data”. EU’s General Data Protection Regulation (GDPR) applicable wef. 25 May 2018 has been one such legislation, a pioneer in many ways but still has companies struggling in to protect their data, and keep the rights and interests of their customers (termed as data subjects) in consideration.

So what have companies been doing in the last one year? We saw some companies improvising existing data governance and privacy protocols, while others implemented new frameworks altogether to steer clear off the data protection authorities’ radar. But a number are still fraught as compliance requirements continue to evolve. For instance, there are businesses still trying to get a sense of existing gaps in their environment, often running into new areas which they hadn’t even considered in the beginning. Considering the challenges, many companies have responded to tough questions or situations by ramping up processes, technology, people and standards. This way, they can have a more stable, effective and GDPR-compliant data and information governance, and data protection framework.

As we approach the one year mark since the roll out of GDPR, lets briefly look into the evolving data privacy landscape, implementation done and challenges faced by organizations as they try to be compliant.

A look back in the pre-GDPR era

The last two years have seen varying levels of maturity and understanding when it came to GDPR. Some companies have been frontrunners in the race toward compliance, had proactively started their preparation in advance by conducting a GDPR gap (current state) assessment. On the other hand, there were ones that were fairly disorganized, didn’t really know where to begin or end their GDPR journey. In such cases, a fact-based and independent assessment approach became paramount. An analysis of some of the unique scenarios that were observed are highlighted below,

a) Understanding the scope and impact – Initially, many non-EU companies faced trouble understanding the applicability and purview of GDPR (territorial scope, quantification of the volume and importance of the personal data they processed). In such cases, it was essential to conduct a walkthrough of all in-scope locations for the processes to get a deeper understanding of,

  • Flow of Personally Identifiable Information (PII of EU data subjects)
  • Lawfulness of data processing

Organizations also had to pay close attention to processes, services, or products that handled special categories or had a significant volume of EU PII.

b) Importance of data (governance, structuring and protection) – Many companies did not conceptualize their key data processing areas, repository and data flow. Therefore, they did not have the appropriate security mechanisms and accountability in place to protect the data (PII in many cases) during transit and data at rest. Analysing such data flows to track the entry points, how it’s processed and used during its entire lifecycle became essential. Conducting data analysis, with a focus on personal (consumer and employee) data to ascertain its quality and adherence to data governance and privacy protocols was also crucial.

c) Cross border data flow when managing third parties – Many organizations outsourcing data processing were unclear on how third parties were processing, sharing and storing personal data, and whether (or not) they were adhering to GDPR requirements. In cases of cross border data flows, companies had to evaluate if,

  • They had legitimate reasons for data transfers
  • Appropriate consent from the data subjects
  • The destination country or organizations had adequate safeguards to protect the company data

In such cases, a close review of Master Service Agreements and binding corporate rules had to be conducted to get an understanding of the roles, responsibilities and liabilities of both parties. Many companies also conducted a privacy impact assessment to identify and mitigate the third party risks while evaluating the GDPR readiness of the third party and their subcontractors.

d) Privacy by design and privacy by default – High costs and complex technologies proved to be a hindrance to many companies’ understanding of the notion of inserting privacy measures into systems. The solution to this was conducting a privacy impact assessment, so companies have the technical mechanism to protect PII in the new system’s design.

e) Lack of records retention – Surprisingly, many companies did not have a comprehensive records retention schedule and kept certain data indefinitely, even though there was no legal requirement or business need. In this case, it was imperative to comprehend the privacy laws and requirements for each jurisdiction, expectations of the local authorities and implement a records retention schedule, while ensuring GDPR compliance.

Unfolding the (imminent) future of GDPR

The next one year will also see many developments on the data privacy front. GDPR has already paved the way to understand expectations of many upcoming privacy regulations. One such example is California’s Consumer Privacy Act (CCPA) which is set to go live on 1 Jan 2020. We will also see regulatory authorities exercise stringent measures and improve investigation methodologies as they gain experience with each passing breach and corresponding penalization. EU is also expected to update its ePrivacy Regulation soon, which deals with 1) consent for cookie use, 2) privacy related to electronic communication services and 3) data processed by these services. This new regulation is likely to extend GDPR’s purview (including non-personal data) and has sections on telecommunications confidentiality.

Companies will gain confidence as they will have comprehensive and efficient privacy frameworks. This will make them more open and willing to pursue new directions, cultivate business ideas while striking a balance between fostering innovation and maintaining privacy requirements. But on the flipside, GDPR can have an adverse impact with respect to Big Data. Companies dealing in data governance and data mapping will be required to understand the purpose of data processing and aware of its usage, sharing and storage. The use of business intelligence tools might reduce subsequently as organizations will need to have in-depth understanding of the data they process and be more accountable.

Companies will also have to keep an eye out for emerging technologies such as the Internet of Things (IoT) and blockchain as they grapple with compliance to global privacy regulations. Typically, IoT has a large amount of user data collected through the day; but companies may have to now look to collect and store this anonymously. Blockchain will face a severe test if the ‘right to be forgotten’ clause is exercised – data lodged in the blockchain, stays there. Privacy by design will need to be imbibed at a conceptual level to be compliant (or at least come close to) with GDPR and similar regulations on the anvil.