GDPR - A new dawn for data protection or just a moment in time?

by Samantha Sayers Solicitor, Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0)7841 803730

Here we are, we made it, we’ve arrived in the new era of privacy and data protection (sighs of relief from privacy professionals globally). The last two years have been a race to readiness as organisations globally geared up for the implementation of the EU General Data Protection Regulation (‘GDPR’) on 25 May 2018. But now that we are here, just over 5 months since the GDPR came into force, what are we seeing so far in terms of the impact on businesses, consumers and technology? Have organisations’ readiness programmes really readied them for the new reality of privacy in the technological age? Has the GDPR even kept pace with the developments in the technology sector? Or was it just a moment in time?

The GDPR is only the beginning - next we have ePrivacy

Whilst the focus, primarily for the past 2 years, has been on the GDPR, it would be patronising of us to forget that this is only the beginning of the story for enhanced privacy protections. Whilst the gap between the level of readiness to comply with the GDPR predated the EU Data Protection Directive (as we discovered during the Readiness Assessment Tests (R.A.Ts) we completed during 2017-2018), it seems there are far bigger gaps in other regulatory spaces which many organisations are still left to address. Particularly in the e-privacy space.

The hotly anticipated ePrivacy Regulation, which is now tabled for implementation in 2020, aims to enhance the scope of privacy rules for electronic communications and to align with the requirements introduced by the GDPR. The ePrivacy Regulation is a fundamental part of the privacy legal framework, particularly as it aims to provide more regulation right at the core of today’s society – in the technology.

Although the ePrivacy Regulation is yet to be finalised, there is still lots of work to be done by organisations to ready themselves. This includes understanding the extent to which the new law may apply to your organisation and where it does apply, understanding your use of personal data in marketing, use of cookies and any requirements you may have to adhere to in respect of any machine to machine communications you undertake.

A new threat - the technologically-savvy privacy advocate – the “privacy technology engineer”

Whilst many predicted a rise in class lawsuits being brought, the introduction of the GDPR has also awakened a new breed of privacy advocate - the privacy-savvy technology engineer. Organisations’ technological defences are being increasingly scrutinised by this new breed of privacy advocate, who not only understand the organisational requirements but also the technical requirements organisations now need to fulfil under the GDPR. They tend to have a deep understanding of how system infrastructures work including how to code and encrypt personal data. Therefore, they have an increased expectation of the level of technological protection which could be applied to their personal data and also how to interpret the more technical elements of the personal data they receive. What’s more, whereas previously responses to subject rights requests, may have been mostly unseen by the wider public, with the rise in the use of social media, nothing is off limits. Increasingly, we are seeing responses being shared and discussed with a wider audience and privacy advocates are using these platforms (such as Twitter and LinkedIn) to divulge responses and opine on organisations’ responses to subject rights responses. Thereby, potentially weakening an organisations’ defences.

Data protection regulators are starting to flex their new enforcement muscles

There have been a number of high profile personal data incidents since the introduction of the GDPR and whilst we have seen increased noise from data protection regulators, it is likely to be some time before we publicly see the full impact of any regulatory action taken under the GDPR. In the meantime, organisations will continue to be increasingly held to account by consumers and the media as their knowledge and awareness of these issues continues to grow. There are some data protection regulators who are already starting to exercise their enhanced powers and holding organisations accountable for failing to adequately protect personal data. However, in our view we expect that there will be a gradual transition to GDPR enforcement and not a “big bang” crescendo.

For example, since May 2018, the UK Information Commissioner’s Office (‘ICO’) has issued at least: 9 Monetary Penalty Notices; 5 Enforcement Notices; 1 Undertaking and 2 Prosecutions. However, the majority of these relate to failures predating the introduction of the GDPR and therefore fall under the scope of the Data Protection Act 1998. However, at this month’s International Data Protection Authorities Conference 2018, the European Data Protection Board’s (“EDPB”) chair – Andrea Jellinek – has confirmed that they are currently dealing with 162 cross-border cases. She also confirmed that 80,000 breach notifications have been received across the 25 EU data protection authorities and they are also dealing with 233 mutual assistance procedures.

Clearly, the data protection authorities are busy behind closed doors and are continuing to activity monitor compliance and take action. We expect this type of activity to steadily increase and become more public as their investigations develop and as the data protection authorities increase their headcount and acquire new skills. As a result, organisations will need to be ready to deal with the new enhanced strength of data protection authorities and their coordinated enforcement strategies.

So where do organisations go from here?

This is not the time to be complacent, the GDPR is only the start of the journey and was definitely not just a moment in time or a ‘damp squib’. The new regime is only in its infancy and the true extent of the impact it will have on the economy globally is yet to be seen.

Organisations now need to focus on ensuring the GDPR compliance programmes and teams they built are really robust enough to transition to a ‘BAU’ world. This includes ensuring their teams are equipped with the legal and technical knowledge required to respond to technologically-savvy subject rights requests and enhanced regulatory scrutiny.

But perhaps more importantly, organisations (if they haven’t already) now need to think about delivering privacy compliant solutions in the technology stack. Privacy teams will need to evolve their skillsets and knowledge of technology solutions to ensure the privacy solutions they develop are adequate in protecting the personal data of the consumer in the new technology landscape.

For further information of how PwC’s Data Protection Legal, Compliance and Strategy team can help you ready your organisation for the technological challenges post GDPR, please contact Stewart Room or Samantha Sayers.

by Samantha Sayers Solicitor, Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0)7841 803730