Over a year has passed since the implementation of the General Data Protection Regulation (GDPR) in Europe, and with it, a substantial increase in awareness around data privacy and protection. GDPR put the issue at the forefront of global news as the first legislation of its kind. By unifying the approach to data protection across the European Union, the regulation has set a precedent that other nations seem to be willing to follow. From Brazil to California, GDPR has been the catalyst in a push for stronger, more clearly defined privacy laws that hold organisations to account - and we are now at the tipping point.
Above all else, the regulation has put data protection and privacy firmly in the minds of the general public. GDPR sparked a global conversation around privacy matters, creating a surge in awareness of the rights that people possess pertaining to data privacy, and the serious consequences of violating said rights.
Although most of the requirements were already in place in the countries of the European Union before GDPR, the regulation has harmonised the principles across the Union, and perhaps most importantly, has increased the enforcement capacity of the data protection authorities. The requirement to report data breaches is one of the most ground-breaking results of GDPR, as most organisations had not been previously required to do so under their own privacy laws. However, identifying what constitutes a data breach can be difficult.
Some companies have been left wondering where they need to draw the line on reporting. Data Protection Authorities across Europe have been vocal about the fact that they are currently overwhelmed with the volume of notifications they are receiving. Other initial challenges of GDPR compliance for organisations arose in the compiling of data inventories. For many companies, identifying where your data is located and who has access to it is an operational and tactical challenge; something that is especially true for large companies operating on a global scale.
Influencing regulators globally
There is no doubt that GDPR has influenced privacy legislation outside of the European Union. Notably Brazil’s Lei Geral de Proteçao de Dados Pessoais (LGPD) does mirror the structure of GDPR, and California’s California Consumer Privacy Act has clearly been influenced by this regulation. As the first legislation of its kind, GDPR has become the de facto benchmark for data privacy laws around the globe.
California has introduced several new rights that are similar or comparable to GDPR, although not quite as extensive. Despite its Eurocentric focus, GDPR has had a huge impact in places like the USA where it has provoked a discussion around the need for privacy rights for individuals as opposed to just protecting specific types of data. As the first state to pass legislation with such a broad scope on data privacy, it seems California is now the benchmark for the rest of the US, with another 17 states or so currently in discussion about their own privacy legislation or having passed more specific new privacy laws, such as Maine or Nevada.
As such, California law could be expected to become the de facto nationwide comprehensive privacy law - as limiting its application to only Californian residents’ personal information might be difficult. For companies doing business in the US, the absence of consistent privacy principles across states may also pose a challenge in gaining clarity on the do’s and the don’ts. Discussions about a comprehensive US Federal law are currently underway, and will hopefully bring clarity and support to companies.
However, nobody can predict whether US federal legislation will actually be adopted and when. In fact, one of the main objectives of GDPR was to resolve the disparate nature of the various European privacy laws, and unify the region under one regulation. As independent US states move ahead with their own forms of privacy legislation, the data privacy landscape becomes increasingly complex for consumers to understand their new rights, and for the companies to meet their new compliance obligations.
Moving data remains a challenge
Huge corporations may have the resources and capabilities to navigate the varying legislation, but smaller businesses are not often as well equipped. While any privacy legislation will always be influenced by the history of the country adopting it, together with specific political and economic consideration, there is a common scheme around increasing the protection of individuals against the misuses of their personal information. While the main focus is on protecting consumers in the wake of large scandals and public data breaches, most of these new laws also have an impact on the way companies have to handle their employees’ personal information.
Companies also have to monitor the enforcement activity of the various Data Protection Authorities across the European Economic Area. Thus far the European Regulators have been focused on enforcement of rights and obligations that already existed under the previous privacy regime in the European Union. Lack of legal basis for the processing of personal data, insufficient technical and organisational measures to ensure information security, and the absence of fulfilment of individuals’ rights have been the top three grounds for Regulators to levy fines against companies.
As more legislation is implemented, global companies can take initial direction from the common principles applicable under the majority of the privacy laws across the globe, but must be mindful of the discrepancies between different pieces of legislation and adjust their privacy programs accordingly.
As privacy laws continue to be adopted by a vast majority of countries, one could assume that it will become easier to move data across borders. Instead, companies are facing potential hurdles as some countries have restricted the transfer of personal information outside of their boundaries by imposing various forms of data localisation. This is not the path taken by GDPR; although the regulation is very stringent, it does contain a list of mechanisms such as Binding Corporate Rules, which enable companies to lawfully transfer personal data outside of the European Union in an increasingly interconnected and globalised world.
Cécile Georges, Global Chief Privacy Officer, ADP