GDPR’s 1st Birthday

by Caitlin Gruenberg

Saturday, May 25, 2019, is 12 months since the implementation of the European Union’s (EU) General Data Protection Regulation (GDPR). Even though organizations who process and store the personal data of EU data subjects had two years to prepare, TrustArc reported that only 20% of organizations felt they would be compliant with the new regulation by May 2018.

As organizations inside and outside of the EU feared the potentially crippling fines of up to €20 million or 4% of their annual global revenue, data subjects embraced the new set of rules that gave them more control over their personal information.

An assessment done by the European Data Protection Board shows that in the first year under the GDPR, over 200,000 violations were reported to supervisory authorities, resulting in €56 million in fines. While €56 million seems like a winning number for the GDPR, €50 million alone came from Google, leaving the remaining balance bleak in comparison.

Let’s explore the obstacles that organizations faced while trying to effectively implement the GDPR in the past 12 months as well as the impact on privacy laws in the United States.

Obstacles Facing Organizations

Lack of Use Cases

Organizations that fall under the GDPR umbrella are still looking for guidance on determining compliance and non-compliance.  Unfortunately, clarification on interpreting the more-often-than-not ambiguous regulation will only come in time. As more cases are determined and fines are distributed, organizations in the GDPR community will have use cases as reference for clarity. 

Not Using Privacy by Design

The GDPR highlights the importance of considering privacy at initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data. While privacy by design is not a new concept, traditionally it was not an emphasized practice until now. Many organizations outside of the EU who need to be GDPR compliant face complications with implementing this “new” concept into their development process.

Large Amounts of Tech Debt

The process of adhering to GDPR requirements is expensive if products, processes, and services are not created with privacy by design in mind. The cost of time and labor to re-work or re-design in accordance with the regulation is causing compliance delays among even the most mature companies. As you can see, tech debt and privacy by design are linked. By making privacy by design a priority, an organization can drastically decrease their tech debt by meeting the GDPR requirements at the beginning of the design.

GDPR Impact on U.S. Laws

The GDPR bug bit the U.S. as GDPR made headlines causing state legislatures to become fascinated with consumer privacy. In 2018, 12 states reacted by creating laws or amending existing regulations to keep up with the global speed of privacy and security.

The most notable reaction to the GDPR is the California Consumer Privacy Act (CCPA). On June 28, 2018, the CCPA was passed, signed into law, and will take effect January 1, 2020. While the CCPA is less rigorous than GPDR, this legislation has set the bar for consumer privacy laws in the U.S. by providing businesses with more regulations regarding the processing of California residents’ personal information.

GDPR: Year Two

In the next 12 months, expect to see an uptick in GDPR fines that will create use cases for interpreting the regulations’ requirements; an increase in using privacy by design as a best practice; and more states in the U.S. enacting or amending laws to favor the consumer.

CAITLIN GRUENBERG

LEAD PRIVACY ANALYST