How has GDPR actually affected businesses?
The EU's General Data Protection Regulation went into effect a year ago this month, impacting businesses across the globe that touch information from the region. With its onset, no legitimate businesses can ignore the regulatory requirements for obtaining, storing, or using personal information, said Raef Meeuwisse, author of Cybersecurity for Beginners and external relations director for ISACA's London chapter.
"A few years back it was not unusual for a supplier audit to find some mid-sized companies completely missing any privacy policies, standards and job function-that is no longer the case," Meeuwisse said. "The uptick in privacy regulations and potential fines seems to have worked as a wake-up call for organizations to treat their duties of care for personal information more seriously."
SEE: IT pro's guide to GDPR compliance (free PDF) (TechRepublic)
As such, GDPR has had a "tremendous impact" on how businesses handle data, said Michael Podemski, senior manager in the advisory services practice at EY and a board member of the ISACA Chicago chapter. Most organizations are now required to have a legitimate interest to collect and use data-no longer can they just collect it because they can, Podemski said. Organizations also must delete data after its intended use, and can no longer retain that information indefinitely.
However, achieving full and efficient privacy-by-design is still a long way off for the majority of organizations, Meeuwisse said. "It is likely to be many more years before organizations have systems and processes where managing personal information in compliance with regulation is something their systems and processes were originally designed to do," he added.
More privacy work to be done
GDPR "has moved data protection and privacy from a back office, often ignored, compliance matter to an important issue that is on the agenda of almost all companies, large and small," said Aoife Sexton, chief privacy officer for Trūata. "Similarly, GDPR has raised awareness amongst consumers on their rights regarding the personal data that is being collected and processed about them."
However, a year in, many organizations are now realizing that their GDPR readiness programs have fallen short of reaching a meaningful level of compliance, and more work needs to be done, Sexton said. Many organizations have treated it as checking a box, instead of completely changing their practices.
"To be able to really show that they have embraced both the letter and the spirit of the GDPR, organizations need to move beyond these superficial compliance layers to the deeper layers of compliance, from embedding sound data governance in all of their business processes, to demonstrating accountability," Sexton said.
Many companies prepared for GDPR by updating the terms and conditions on their websites, creating data inventories and retention policies, and updating access controls, Sexton said. These are significant steps, but do not take into consideration the full impact of the GDPR across their organizations, and on the deeper data and operational layers of their organization, she added.
For example, take the secondary use of personal data like analytics. Many companies are still trying to define the processes and mechanisms needed to ensure this secondary data use is being managed in a compliant way, Sexton said.
Financial repercussions and consumer concerns
Enterprise interest and investment in data privacy is driven by financial risks-not just the regulatory fines, but the potential brand damage as well, Meeuwisse said. The European Data Protection Board recently reported that there had been 206,326 cases of breaches and complaints reported so far, and €56 million (about $63 million) in fines issued. However, because many of the supervisory authorities are still in a period of leniency, almost half of the cases have not yet been completed and closed.
"Whether organizations continue to take data privacy more seriously is mostly down to how stringently the regulators punish major infractions, and how us regular people decide to vote with our feet (or not) to abandon organizations who repeatedly fail in the way they care about, secure, use or lose our personal information," Meeuwisse said.
It remains unclear whether or not GDPR has moved the dial on consumer trust amid so many high-profile security breaches, Sexton said.
"There still appears to be widespread confusion amongst consumers on how their data is being used and who it is being shared with," Sexton said. "Companies therefore need to do more as regards transparency and more to demonstrate how they are acting ethically and responsibly with regard to their customers' data. It is unrealistic to burden the consumer with the responsibility of reading reams of privacy notices to try to figure all this out."
Organizations not currently impacted by GDPR will likely soon be affected by other data protection regulations and privacy laws, such as the California Consumer Privacy Act or Brazil's data protection law, Lei Geral de Proteção de Dados (LGPD), Podemski said.
"Organizations that have dealt with the GDPR will have more experience to prepare and implement any new data protection regulation or privacy law," Podemski added. "Other organizations will need to develop and implement a privacy program to address these new data protection regulations and privacy laws."
GDPR, CCPA, and LGPD are just the tip of the iceberg for data protection regulations and privacy laws, Podemski said. "We should expect more in the next coming years, which will continue to impact organizations globally," he added. "As long as your privacy program is built for adaptability and sustainability, you will be prepared for the future."
For more, check out 4 ways to prepare for GDPR and similar privacy regulations on TechRepublic.