The implementation of the GDPR in May last year was accompanied with one of the most high-profile public and business awareness campaigns in modern times. The ‘biggest shake up in data privacy regulation in a generation’ had everyone from multinational corporations to local green grocery stores working to get their houses in order before the 25th May deadline. But what’s happened since then?
The Information Commissioner’s Office (ICO) has imposed major fines, including its intention to fine British Airways (£183m) and Marriott hotels (£99m), generating hard-hitting headlines but even these fines will likely change once the formidable legal teams at both corporations have made their representations. There has been very little data for compliance professionals to fully understand how the regulation will be interpreted for the majority of businesses.
It’s been more than a year since GDPR first came into force and we are still in limbo. It’s believed that more than half of UK’s businesses have yet to achieve compliance with GDPR more companies begin to question regulation’s effectiveness
In the meantime, there’s a sense that small to medium-sized enterprises are flying under the regulator’s radar. The pre-regulation scramble to achieve compliance seems to have stalled, as various reports put the rate of GDPR compliance among UK companies as low as 25 per cent. Indifference is creeping in as businesses adopt a “wait and see” strategy - unwilling to commit time and resources to achieve compliance until they are convinced that it’s necessary.
Ironically, the raft of other privacy regulations in development worldwide may be adding to the problem. The California Consumer Privacy Act (CCPA) is a case in point. It follows similar principles to GDPR and will come into effect in 2020. However, its final wording has been the subject of intense scrutiny by influential technology companies, who have invested considerable funds to support various amendments that lawmakers fear will water it down and create loopholes.
In the light of this legal wrangling and corporate lobbying, it is not surprising that businesses are not rushing to implement compliance measures. The regulation detail is still unclear and the prospect tof loopholes when it becomes law does nothing to encourage businesses to respect it.
This compliance “fatigue” is high-risk for businesses. There is a reason that major technology corporations are working so hard to influence legislation. It’s because the CCPA and all the other regulations worldwide – from the Data Protection Trustmark scheme in Singapore to the Privacy Amendment (notable data breaches) Act in Australia - represent a huge shift in how data privacy is managed and who is responsible.
Compliance is anything but straightforward. As these regulations mature with more enforcement actions coming down the line, a tide of indifference will roll in, creating a big wake-up call for SMEs that have failed to give regulations the attention they deserve.
What should SMEs spark renewed respect for compliance?
SMEs should be mindful that data privacy has successfully undergone the awareness shift that the regulators were hoping for. The ICO received around 14,000 PDB reports from 25 May 2018 to 1 May 2019, compared to just 3,300 the year before. In today’s pro-litigation environment, consumers are very willing to hold businesses to account over threats to their privacy. In that sense, compliance is not just a “nice-to-have” it’s vital protection against the day the ICO comes knocking. In today’s intense cyberthreat environment, breaches are inevitable. Businesses must be confident that they can prove they did everything asked of them to prevent data loss.
More rulings and clarifications
Compliance is a dynamic activity that evolves over time. Compliance professionals need regular, consistent guidance from enforcement authorities on how they will interpret the regulation, which is somewhat vague due to the shortage of enforcement actions. This is why we need the ICO and other European regulators to take enforcement actions, so businesses have real context in which to evolve their compliance activities.
The challenge of cloud compliance
One of the common challenges of new privacy regulations is clarification of who bears responsibility for data privacy as it relates to new business models and infrastructure outsourcing to third parties such as cloud service providers (CSPs). The data controller is ultimately responsible for ensuring personal data is safeguarded, even if it has been passed to a third party for storage or processing. This means the relationship between controller and processor is critical and CSPs need to have in-depth compliance expertise.
We are not really seeing SMEs leading with compliance when selecting CSPs - but they should be. CSPs need to take the initiative to articulate the benefits of managing compliance risk and showing how customers can take control of their data in alignment with regulations.
Overlaps and redundancies cause confusion
There are many equivalencies between regulations, where one process can satisfy several requirements in different jurisdictions at once. However, it’s important to know where this is the case, and where there are exceptions that require additional governance. This is high-level compliance expertise that is not accessible to most SMEs in-house. They need to choose suppliers that offer compliance consultancy as part of the deal.
It’s important for businesses to be wary of those offering ‘compliance in a box’ solutions - compliance must not be a tick-box exercise. SMEs need a partnership approach with providers to put a compliance framework in place to reflect the risks associated with their specific business.
The future will be regulated
Whatever compliance complacency or fatigue businesses may be experiencing, they need to get over it. All signs point to the fact that the regulatory landscape is going to intensify over the coming years, across all sectors.
There’s a strong focus on infrastructure and critical business process outsourcing, such EBA guidelines on outsourcing for the European financial industry, which entails a lot of work for suppliers and clients in partnership.
As new regulations are introduced, and existing ones mature, we will see greater clarity around risks, responsibilities and penalties. Compliance professionals will have more intelligence to help build and maintain compliance programmes.
I believe procurement processes will place heavier emphasis on how suppliers not only meet compliance requirements but help customers go beyond them to drive efficiency in the compliance framework. This will be a key feature of contracts.
Rest assured, while the grip of data privacy regulations may have been loose in the early stages of implementation, as the environment matures, we will see it establishing a firm hold over businesses of all sizes. Now is the time for those businesses to prepare.
Frank Krieger, VP of Governance, Risk and Compliance, iland