25th May 2019 saw the 1st anniversary of GDPR in place. Without doubt, GDPR is one legislation that turned the privacy concerns on its head and made businesses take privacy seriously.
GDPR is one revolutionary legislation which puts control of personal information in the hands of consumers (those in EU in this context).
One of the key far-reaching impacts was the way Internet companies were collecting and using personal data of consumers. Monetizing data without the data subject’s (consumer) consent was a huge business with data being traded across without any restrictions.
Importantly, the regulation brought in responsibility and accountability in the way companies handled personal data (Personally Identifiable Information to be specific) – collecting, processing, storing and disposal. That meant they had to invest in data centers and redefine software applications’ architecture or re-engineering process flows, etc
The achievements are numerous and the most important thing is companies cannot take users’ data for granted. They are regulated, set compliance standards for organizations and meet and levy penalties for failure to safeguard PII. Here’s a list of key achievements of GDPR:
- Mainstreaming Data Privacy
Data Privacy is in the limelight and PII got its due. For long, privacy as a domain always played the second fiddle to security. Privacy of personal data was underrated, understated and was given the short shrift in favour of data security. With the advent of GDPR era, privacy came of age with the regulation putting the consumer in the driving seat as far as the management of their personal data is concerned. Due to stiff penalties for violations and resultant bad press, data privacy has found a place in board room agenda.
- Paradigm Shift in Personal Data Management
GDPR requirements has significantly altered the way business processes and practices around the entire gamut of managing personal data. Earlier, with no regulations in place, it was practically a wild west scenario on the way the personal data of consumers were handled.
As GDPR came into effect, companies have changed their data workflows, privacy by design is a norm today, reworked business processes, re-architected software backend and frontend – all in order to stay compliant with GDPR regulations. Plus, EU consumer data needs to be stored within the EU region.
- Speaking the same language on PII
Earlier, there existed ambiguity around what exactly constitutes PII. With clear definition of PII there is no such ambiguity and in fact PII scope has been broadened with the inclusion of natural identifiers like genetic or social identities and also online identifiers of applications or tools like IP address, cookie identifiers, etc
- Accountability – Breach notification requirements
Businesses can no long brush under the carpet of any data breach incidents. They are required by the regulation to notify data protection authorities about the data breach or security incidents within a stipulated timeline. GDPR brought in accountability of organizations in handling consumers’ personal data.
- Consumer is king
Consumer is king is a cliched phrase in the business world. When it comes to their personal data, they had no control over it whatsoever. However, with the beginning of GDPR regime, consumers get a big say in the management of their personal data.
- The conditions around obtaining consumer data got stricter.
- Consents to be obtained for different processing activities.
- The consumer can withdraw consent as well and can exercise right to be forgotten too
- GDPR-style legislations across the world
GDPR has spawned a rash of privacy legislations in many countries like Brazil, Vietnam, China, Japan, Thailand and South Korea. India which is one of the key hubs of IT and IT-enabled services (often called the back office to the world) has come with a stringent Personal Data Protection Bill in 2018 which is awaiting be passed in the Parliament as an Act this year.
These privacy regulations are testament to the importance being accorded to consumer data world wide and also to keep themselves competitive as outsourced destinations of choice. Many US states are also brining in privacy regulations and the latest being the California’s Consumer Protection Act of 2018 which goes into effect from 1 Jan 2020.
On the 1st birthday of GDPR rollout, IAPP1 brought out the below infographic which has significant numbers to show how GDPR has fared in the last one year:
While GDPR has achieved a lot many things since its advent, yet some key challenges persist throwing spanners into its effective implementation.
- Privacy Awareness is still an issue
As with security awareness, privacy awareness is lacking among general staff and even at higher echelons of management especially among non-EU companies. In a recent survey conducted by nCipher Security2 to assess American awareness on data privacy, the results are astonishing:
- 52% of Americans said data privacy is important to them.
- 41% said protecting their personal information is their top concern.
- 32% said safeguarding their personal data is as important to them as their own physical protection.
- Privacy Culture yet to be embraced
A robust culture of privacy needs to be fostered and sustained in companies to drive importance of data privacy. A knee-jerk reaction to embrace privacy is not going to work. A planned strategy starting with setting the tone at the top with visible support and tangible sanctions for violations are key factors in inculcating a privacy culture that resonates with the organizational goals.
- Lack of qualified professionals to manage data privacy
The GDPR era has exposed the lack of qualified and experienced professionals to run and sustain data privacy programs. Many companies manage privacy function within the legal team, some within IT or Information Security. What they fail to understand is data privacy program is an ongoing function that cannot be an additional responsibility rather it requires a full-time team of qualified professionals headed by a leader who has the required expertise.
- Clubbing DPO role with CISO
While GDPR mandates a distinct role of Data Protection Officer (DPO) for privacy matters within the organizations, many of the companies make do by clubbing with CISO role. Though there is nothing stopping a company from assigning DPO role with the CISO, yet DPO role needs to be stand alone to fully optimize the data privacy function without any conflict of interest with information security.
In Conclusion: Privacy still a long way to go!
Without doubt, GDPR has set the global standard for data protection putting the consumer at the heart of it.
GDPR for sure, is a great start but privacy has a long way to go. At the core of data privacy domain in the context of GDPR is responsible management of consumer data and organizations earning trust of consumers eschewing the lure of commercial gains by monetizing data as has been the case before the roll out of GDPR.
Written By: Ram Kumar