Psst… have a private moment? It has been a year since the EU General Data Protection Regulation (GDPR) went live, and the world is still spinning. Let’s take a look at what transpired in the first year of GDPR.
GDPR went live May 25, 2018 and it aimed to standardize Personal Data (PD) privacy and protection duties, obligations, and rights across all 28 member countries in the EU. The new privacy regulation updates and expands the previous EU privacy directive which had been in place for two decades. With the historical reality of human rights incidents and multiple dictatorships, Europe’s focus on privacy is long-standing.
People in the EU are ever more aware of the importance of data privacy and protection, and their newly-refined rights under GDPR. They are now exercising these rights, including their Data Subject Rights around Rights to Enquire, Correct, Erasure, Opt-out and Data Portability. So, across the whole of Europe— (except for five member countries who have still yet to adopt GDPR into their national legislation), a consistent privacy framework is in place.
As 2019 began, the Executive EU Commission reported more than 95,000 complaints(1) were filed across Europe under GDPR so far. The first of those complaints filed was just six minutes into GDPR Day by None Of Your Business(2) (NOYB.eu ), a nonprofit that is laser-focused on all things privacy and protection, founded by Max Schrems, privacy activist and attorney. Then Google was hit with a 50 Million Euro fine (about $56M dollars)— the largest fine to date—as of early 2019. It was levied by the French Privacy Regulator (CNIL) under GDPR for transparency and lawfulness issues (think opt-in and consent). A 50M fine may sound like a big number, but it is a mere speeding ticket for Google––a warning, if you will. The fines will get larger if Google (and others) do not comply.
As conveyed from the central EU data protection supervisor Buttarell(7), along with many industry analysts (Iannopoll(8)) from late 2018, we’ve only just begun to see fines and sanctions hit major corporations for GDPR violations. Surely, some Eye-popping ones are to come!
EXACTLY WHICH “PEOPLE” ARE COVERED UNDER GDPR?
Citizens of the EU, right? Be careful, this is one of those many areas where terminology (and assumptions) still catch businesses off guard as they realize that GDPR applies to some (or all) of their global business. As defined in the GDPR, it applies to all Personal Data (in any media or format, electronic and physical) of any living, natural persons In Europe. If you’re not living—sorry—then GDPR doesn’t apply to your personal data (but there may be other regulations that do). If you’re in Europe––regardless of being a citizen, legal resident, temporary alien or just passing through an EU airport for an hour––GDPR likely applies to your personal data.
“Natural persons” refers to GDPR applying to the personal data of all living people in Europe, but not to other legal entities, like corporations, who might claim personal business data. It still does apply to all businesses, and applies anywhere in the world they are collecting, storing, or processing the personal data of anyone IN Europe. It doesn’t mean GDPR only applies to legal entities or businesses based in Europe––or only on data centers with data In Europe. It means anywhere.
IS “PERSONAL DATA” JUST PII?
“Personal Data” is just PII, right? Pedantically, Personal Data (PD) is the focus of GDPR. Of any direct or indirect identifiers across a wide (and often surprising) range of categories and types of Personal Data that can identify a natural living person in Europe. If you’re talking GDPR, PII is merely a subset of Personal Data.
But definitions vary. For example, under the U.S. National Institute of Standards & Technology (NIST.gov) definition, a network TCP/IP address isn’t considered personal, whereas under GDPR (and most other privacy regulations) it most definitely is personal.
WHAT DID [glossary_exclude]IT[/glossary_exclude] MEAN TO BE GDPR READY?
My point of view is it “just” meant a focus and action for getting and sustaining readiness across three activities and outcomes:
All the organizational change management activities around people, policy, process, and education to raise internal awareness of privacy and protection. Ensuring everyone is educated and practices with transparency and accountability—that there are policies in place and they have audited proof of being followed. Plus, via contractual and other terms, ensuring your global supply chain sustains readiness for you
“Let’s hope we can get to some meaningful federal level privacy regulation to make it a level playing field across the country.”
All the cybersecurity actions and outcomes around encryption, access controls and monitoring, data loss prevention, and incident breach readiness and reporting.
Ensuring you have a good understanding of what is Personal Data across the business, by category and type, down to each main data source or system and its location. Document and maintain a Records of Processing Activity (ROPA) of not only what is Personal Data, but for what business process and lawful basis you are collecting and using it for. And readiness to respond to the deadlines for handling any data subject requests (e.g. Right of Erasure) in sync with a global IG and cybersecurity program.
Larger organizations then executed readiness plans and put in place sustaining ownership and activities around these three outcome areas, via different formal privacy program plans, policies, and processes. These often included dedicated workstreams such as where they are acting as a Controller or a Processor. What common services do we need to stand up and run across the business to ensure consistency and reduce risks and costs (e.g. of a central privacy catalog and ROPA)? For IBM, their examples are shared in the public GDPR journey e-book, available at www.ibm.com/gdpr.
MOST WERE NOT READY
As ongoing media reports and studies have shown, most businesses were able to do just enough to be initially ready. But they now realize far more extensive revisions across the three outcome areas are needed. We’ve only just begun. Some industries and those with far more customer-centric practices have seen a spike in data subject requests and have struggled to complete these within the GDPR deadlines of one month per request (businesses have one month to comply and complete each request, not just reply). These organizations have documented leveraging the optional regulatory extensions to these deadlines. Request volumes are still in the early stages for many countries and industries and have been shown to spike whenever unfortunate data breaches occur.
For now, it’s an ever-increasing complex set of privacy and protection regulations being refreshed and enacted, with momentum around the world. Coming in 2020 is both the California CCPA and Brazil’s LGPD. A few months ago, Thailand issued their privacy regulation which will go live later in 2020. And Brexit, if it’s been resolved by now, adds to the complexity.
Other countries already have some or most of a GDPR-like regulation in place, but often without the teeth of the large potential penalties under GDPR so far (up to 4% of annual revenue). Many countries are updating and expanding their regulation, not only to protect consumers, but also, if we are honest, to clawback some revenue from dominant American tech companies.
And in the U.S.? We’re seeing at least 11 different states looking to clone or copy most of what California has in place with the CCPA. Even some cities, like Chicago, are working to enact local data ordinances as they await whatever actions their state may take.
Worst case, in the short term, the U.S. may have 50 different privacy regulations to meet, a very complex web for any multi-jurisdictional business to operate in and sustain. Let’s hope we can get to some meaningful federal level privacy regulation to make it a level playing field across the country. Getting there in the political short-term may be hard, although the focus, priority, and volume of attention and hearings around these issues continues in Congress, plus business lobbying, various draft proposals, as well as the NIST Privacy Framework RFI(9) that is ongoing.
At the end of the day, it’s all about you and me, and our Personal Data.[/glossary_exclude]
Richard Hogg is Global Director of Information Governance at the law firm of White & Case, LLP. Previously he was IBM’s Global GDPR evangelist, leading their Global GDPR readiness program. In addition, he is a privacy and Information Governance expert, helping clients on their compliance readiness journey. He can be reached at [email protected]