Post GDPR Live Environment: Part 2 - 'The Butterfly effect' and Modern Business Needs
November 09, 2018
In the first part of this blog we identified two of the key trends for businesses to consider in the post GDPR live environment – the operationalisation of the GDPR within your business, and the interaction of the GDPR with other areas of law. In this second blog post, we will explore two more key trends that your business should consider in the post GDPR live environment.
The ‘butterfly effect’
The long arm of the GDPR not only extends the scope (and the application) of European Data Protection legislation beyond territorial borders; it also exerts a disruptive force to the point that it influences the decisions and choices of many non-EU Legislators.
The ‘butterfly effect’ of the GDPR turns transformation programmes into multi-regional/global projects. No matter where businesses operate, the GDPR inevitably affects operations, strategies and ways of working. This process happens through various means:
- The adoption of local Data Protection laws inspired by the GDPR (e.g., Brazil, California, China, Philippines);
- The issuing of ‘Adequacy Decisions’ by the EU Commission (e.g., Japan); and
- The extraterritorial application of the GDPR to every business offering goods or services to data subjects in the EU.
Businesses are facing the challenge of scaling their data protection programmes globally, due to the fragmentation and the progressiveness of local data protection laws. In this context, companies should make a substantial effort to now focus on the bigger picture.
The fragmentation and progressiveness of data protection laws have an even more disruptive impact if we consider GDPR requirements, such as Data Protection Impact Assessments (“DPIAs”) and recording of processing activities. Such requirements may be affected by even the smallest change in the global legal Data Protection landscape (e.g., they may impact the assessment made on the risks for the rights and freedoms of the data subjects, as well as the choice of a lawful basis for transferring personal data instead of another). Companies should be ready to react to such changes and scale their Data Protection programmes to quickly adapt.
Modern business needs
Modern business cannot disregard technology. As such, technology challenges not only remain, they become a focal point for modern businesses - both an issue to handle and an opportunity to profit from.
As an issue, developments in technology may lead to more invasive processing of personal data - as such, the number of Data Protection risks to assess and mitigate multiplies, and with this comes an administrative burden on business, IT, and project owners. This is why recent research on the economic impact of the GDPR concerning the Internet of Things (“IoT”) has suggested that companies refrain to include any collection or processing of special categories of personal data while developing a new IoT device to avoid additional risks, burdens, and complications (1). At PwC, we believe companies can achieve all their legitimate business interests and Data Protection objectives in a business-efficient manner, without giving up technology development or their Data Protection compliance.
As an opportunity, technology may be a Data Protection enhancer. Despite a number of GDPR compliance challenges (e.g., security, retention), a blockchain based technology may deliver some of the main principles set out in Article 5 of the GDPR by, for example, taking advantage of the feature of immutability to enable transparency and control over each dataset.
As we have said before, we believe we are on a “Journey to Code”, which will lead to more and more Data Protection outcomes being delivered in data and technology itself and less so within paper and human processes.
The free movement of data is not just a precondition for the establishment and development of the EU Digital Single Market, it is now a conditio sine qua non for the competitiveness of every company, regardless of the business sector in which they operate, the intensity of their use of data, or the countries involved in their data processing activities.
As a piece of a bigger puzzle, the GDPR tells us only a part of a longer story. Modern businesses should care about details, as well as the bigger picture to harmonise and rationalise the way in which the applicable Data Protection legislation is complied with, and the way in which Data Protection can be used as a business enhancer, not a burden.
(1) Junwoo Seo, Kyoungmin Kim, Mookyu Park, Moosung Park and Kyungho Lee, An Analysis of Economic Impact on IoT Industry under GDPR.