Teacher’s report is in! Out of 10, how’s the first year of GDPR really gone?
[This article originally appeared in Lexology on 10 June 2019]
The European Commission created an Expert Group to support the application of the EU General Data Protection Regulation (or GDPR) and it delivered it’s ‘1st Year Report‘ on 13 June 2019. It’s a pretty comprehensive Report based on answers to 11 key questions and reflects much of what we are hearing from customers and experiencing in the market. It’s important to note that the Report reflects the views of those who answered the questionnaire, not the European Commission, but it is very clear and well worth reading.
Here’s our summary with our added comment, please refer to the full report for the Expert Group’s exact view. We would say it’s the TLDR, but this is still a bit of a read.
OK, here’s a TLDR: GDPR may be too expensive and hard for SMEs to fully comply with in practice for some time to come, regulators and lawmakers need to do much more on harmonisation and clarification, and the whole transfers regime may be about to be torn apart. And don’t mention Brexit. Oh dear… Well, if you do ask how GDPR is going, you’re likely to get grumpy responses. We’d counter that by stressing how GDPR has brought data protection onto the front page and into watercooler conversations, many organisations have made great practical strides to protect personal data better, and there are other great benefits to GDPR compliance! The Report highlights areas where more support, particularly for SMEs, can lead to even better gains.
Organisations are finding GDPR hard. It needs investment in people, processes and technology, not all of which is easy or available for SMEs in particular. What are these resources for? Well, organisations ‘report that most of their resources were devoted to documenting accountability, refreshing consent (where applicable), updating data protection information notices and contracts, implementing policies for dealing with data breaches, creating new internal business processes for handling data subjects’ requests or validating new processing operations, internal awareness-raising and training.‘
In other words, to implement a Privacy Governance System to enable GDPR compliance.
And it’s harder for SMEs: ‘Many SMEs mention they had to seek advice from external consultants to understand the rules and set up systems to comply with the GDPR (including the implementation of technical and organisational measures), and that they usually lack the necessary human and economic resources to implement the obligations in GDPR.‘
GDPR can be the legal stick to get investment to finally clean up known issues with outdated, legacy IT systems and architecture, because legacy tech can make it hard to comply, for example, with obligations on inventories and access requests. And ‘Marketers have overall positively embraced GDPR on the view that compliance is likely to improve customer sentiment towards brands in the long term and are using it as an opportunity to make data protection a brand asset.‘
The IT benefits are something we hear about regularly and they seem very clear. GDPR is the legal reason IT can now get approval to properly implement measures such as encryption, secure transfer, back up and disaster recovery and data discovery, that they either couldn’t get buy-in for before or weren’t allowed to fully roll out. The marketing comment is a good reflection of the cultural benefits that come from GDPR-compliance. To say nothing of accelerating revenue and reducing the risk of an expensive data breach by having a great GDPR answer, as Cisco’s 2019 Data Privacy Benchmark Study confirms.
The GDPR isn’t always easy to understand and some terms and requirements aren’t clearly defined. While the EDPB is putting out good guidance (as the Art 29WP did before it), there could be more, and more tailored to SMEs, who make up the majority of businesses in Europe. Interestingly, the report notes that: ‘Members generally welcome the EDPB guidelines. Some members complain that the recommendations in the guidelines sometimes go further than the letter of the GDPR.‘ Members also point to ‘uncertainties generated by inconsistencies in the application of GDPR by DPAs‘.
This is one of our very rare criticisms of the EDPB and DPAs, for example see our blog on the EDPB’s opinions on 22 DPIA lists submitted by DPAs. An example of going beyond the law is the EDPB taking a very clear and – in our view – damaging stance on the liability of EU Representatives in the last paragraph of a 23-page guidance on GDPR’s territorial scope, and without the backup of the legal analysis that they set out for the rest of the document. This has the potential to kill the EU Representative market before it gets going and we believe it’s hard to see the legal basis for this in the GDPR – indeed it was taken out of an earlier draft.
There are still key areas which vary greatly across Europe, such as the German laws on appointing DPOs. This makes it hard for businesses operating across Europe. Member States have also introduced varying laws on Art 9 and special categories of personal data, which make pan-European practices difficult, in particular for healthcare and similar industries. And guidance from different Member States’ DPAs doesn’t always match up (see the DPIA example above).
It’s a tough nut to crack but the ongoing uncertainty on ePrivacy only adds to the difficulties businesses face in creating their compliance programs. We acknowledge that this may have ‘a touch of Brexit’ about it, with Member States almost equally split between two potentially irreconcilable positions, but the ongoing uncertainty is, in our view, having a demoralising effect on organisations already facing a mountainous task with GDPR.
Art 28 on processors generates quite a lot of comment. The report shows a clear desire for official standard contractual clauses – an official Data Processing Agreement as it were – perhaps in a multitude of flavours.
We’ve heard very much the same about processing agreements, and the areas that the Report notes often cause issues are very familiar, including pushback on audits and indemnification requirements.
The Report also notes that SCCs for transfers need updating and should cover current gaps such as processor-to-subprocessor transfers as well as allow more clearly for joint controllers etc.
This is a difficult area as SCCs are the go-to solution for personal data transfers. BCRs are too expensive for all bar a few multi-nationals. Yet the underlying currents on transfers are approaching the rapids as, for example, both Privacy Shield and SCCs go before European courts. And ‘the elephant that’s always in the room’, Brexit, creates further anxiety as there’s no guarantee the UK will receive an adequacy decision based on the UK’s own intelligence and interception laws. While we would welcome a complete overhaul of the SCC regime to address the next ten years, to use yet another metaphor, it risks opening a can of worms we’ll find harder to close under GDPR.
Perhaps due to GDPR’s complexity and ambiguity and the resources needed to achieve compliance, there’s been patchy implementation by organisations in areas such as information rights and this can act as a cover for non-compliant behaviour in areas such as the use of consent as a legal basis.
In our view, this will always be an issue. The IAPP-EY Annual Governance Report 2018 stated that ‘A remarkable 19 percent — nearly one in five companies — feel full compliance is impossible.‘ There will always be those who feel they can fly under the radar, but we believe that we’re coming out of the ‘GDPR Trough’, made up of the dip from the awareness and activity surrounding 25 May 2018 as organisations didn’t see regulators bashing down doors and throwing out fines, and the steady rise in compliance driven by organisations’ own compliance requirements, pressure from partners and customers, and lastly regulatory action. GDPR is in vendor due diligence now (see that Cisco study on GDPR’s effect on sales delays) and organisations are seeing its inevitability, not least due to other laws such as California’s CCPA, and the benefits of compliance are becoming clearer.
Access requests have risen more in some industries than others (as to be expected) and have fallen back a bit since GDPR came in. There are various practical difficulties, for example if someone asks for all CCTV where they appear. Other data subject rights (such as portability, and requests for meaningful explanations on the use of automated decision-making) have yet to make their presence felt.
We’ll just quote the report here: ‘Most members report broadly positive interactions with DPAs, which are overall constructive and solution-oriented. They value the helpful guidance and practical advice provided by DPAs, though they note that the amount and practicality of guidance materials available varies depending on country.‘
We’re on record for stating our belief that we’re blessed with the regulators we have in data protection. They’ve an incredibly difficult job to do, covering so many complex areas and interactions that have very different practical impacts depending on so many factors such as organisation size, type and sensitivity of personal data processed. However, we can’t back away from agreeing here and reiterating our call for more use of a single guidance from the EDPB instead of potentially 31 sets of guidance from each EEA Member State. The DPIA example is just one. And if you look at the number of breach notifications across Europe, particularly when normalised for population or number of businesses as in our BPM Index, there’s a huge range which isn’t easily explained away.
Not an easy ask, but a worthy target.