It’s been five years since the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) came into force – one of the toughest pieces of privacy legislation in the world. As a principle-based directive, the GDPR was intended to protect the fundamental rights of individuals by safeguarding their personal dataInformation which relates to an identified or identifiable natural person., in addition to creating a harmonised framework for data flow across the EU’s digital single market.
To mark the five-year anniversary, we have been looking back and reviewing the wins and challenges for businesses in implementing the necessary data protection regimes. Essentially, what worked, what didn’t, and why?
If you missed our recent lively webinar discussion, here’s an overview of the big questions we asked our Data Protection Officers, with some surprising, and maybe not so surprising answers.
Back before the GDPR first drew breath, the much-hyped media concern was undoubtedly the fines. Businesses braced themselves for a wave of penalties, but in reality, they didn’t actually experience it. Aside from the news-hitting large fines imposed on big-tech companies, the statistics have shown most of the enforcements at EU level over the past five years have been reprimands, rather than fines.
There has been an undeniable inability for authorities to both issue fines and execute them constructively. The time taken for companies to be served with a financial penalty, combined with the prospect of later reductions, has certainly affected their perceived level of effectiveness.
Integrity and reputation are possibly more important drivers than fines
When thinking about privacy compliance today, organisations are mostly concerned with the operational and financial implications of having to fix problems after the effect, along with any potential reputational impacts. They have a vested interest in ensuring robust data processes are carried out, and don’t want to deal with the mess of an embedded problem – far easier to get it right from the start.
The GDPR is based upon seven key principles, and much like ‘one ring to rule them all’, the accountability principle underpins the other six.
The accountability principle has been one of the easier ideas to convey. Everyone in an organisation is responsible for the correct handling of data and for ensuring compliance with the other GDPR principles. Which means organisations have a responsibility to educate their personnel and put appropriate measures and records in place. When it comes to data protection, cultural change and accountability is the foundation.
One of the biggest challenges for organisations has undoubtedly been understanding their data flows and ensuring compliance in each section of a data supply chain. It is essential for third parties to also be accountable for data protection. Carrying out initial due diligence on suppliers can prevent problems later down the line. The key is having accurate Records of Processing Activities (RoPA).
If an organisation doesn’t have a RoPA in place, how can
data flow be properly mapped and understood?
A RoPA gives an holistic view of any information being processed around an organisation and documents it.
The accountability principle could be seen as a deterrent, alongside the fines, but do people care? Does there need to be a ramping up of fines or something else? In the UK, the ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. is intended to be an enforcer and defender of rights and freedoms, however some argue it isn’t going far enough.
The Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICO) is the UK’s independent public body set up to uphold information rights. Every organisation or sole trader who processes personal information must pay a fee to the ICO (unless exempt).
But is the ICO effective?
Certainly within the marketing sector and looking specifically at the UK data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data., PECR (privacy and electronic communications regulationsPECR is the UK implementation of the ePrivacy Directive (Directive 2002/58/EC) providing certain rules on marketing, cookies, communication services security and customer privacy (in relation to traffic/location data, billing, line identification and caller directories).), the ICO have shown vigilance. In May 2023, two companies were fined £180k for making unlawful marketing calls. However, in terms of GDPR fines, there have been few, although they have generally been large, as seen with these penalties:
2018 Ticketmaster – £1.25M
2019 Doorstep Dispensaree Ltd – £275K
2020 British Airways – £20M
2020 Marriott Hotels – £18.4M
2021 Cabinet Office – £500K
2022 Clearview AI – £7.5M
2023 TikTok – £12.7M
The one area many DPOs agree the ICO has been successful is in creating awareness. Five years on, people are far more aware of their privacy rights than they were before. Individuals have greater knowledge about what organisations can and can’t do, both internally and externally. DPOs have seen a definite increase in complex rights requests due to data subjects being aware of the GDPR.
The ICO’s guidance, in general, is arguably better and clearer than many authorities
But as with all things, evolution and improvement is imperative. Most DPOs agree there does need to be an improvement, not only in effective enforcements, but also with the investigatory elements. The ICO has the authority to ask questions rather than solely impose penalties, and if in-depth knowledge about each industry sector could be garnered, this would improve the levels of effective enforcements as well as strengthening the guidance organisations already find helpful.
In addition to the GDPR giving rise to a new data protection ethos, it also significantly expanded the industry of consultants and advisors. As an unregulated profession, DPOs have come from legal backgrounds, while others have more technical expertise.
The main role of a DPO is to ensure organisations are processing personal data of staff, customers, and any other individuals (known as data subjects), according to data protection legislation.
In the beginning, DPOs were only working with what they had. There were various professional courses, some good, some not so good, but there wasn’t (and still isn’t) a standard qualification or regulation. Much privacy knowledge has come from experience, from working with and talking to other professionals. Taking guidance from the ICO and learning from one another.
The best DPOs have an expert team to work with
A good DPO successfully builds a tailored privacy framework for an organisation while gathering information and expertise from the wider sector. This is where a single in-house DPO is at a much greater disadvantage than a DPO working within a team of other experts.
There are arguments for and against regulation of the DPO role. Many other professions have minimum standards and qualification requirements, and without regulation, the Data Protection profession is possibly being hindered.
However, the flip side is that strict regulation could miss the other crucial requirements for the role. A good DPO is not only an expert in terms of understanding technical and legal aspects but is also a good facilitator. The best DPOs know how to liaise and converse. They know how to work with organisations and implement the most appropriate privacy frameworks.
Companies face ambiguity when it comes to choosing the right DPO
Finding the right DPO can be a challenge for an organisation and knowing whether to hire in-house or outsource is a difficult decision. This is why so many companies come to The DPO Centre – we only recruit the best of the best for our DPO team and those who demonstrate the right knowledge and communication skills.
You can read about the pros and cons of in-house vs outsourced DPOs here.
The GDPR was intended to provide uniform regulation of data protection rights whilst stimulating the digital single market. It was meant to be tech agnostic and future proof. But has this actually been the case? Has it worked well to manage the excesses of big-tech, or does it need adjusting?
When the GDPR came into force, nobody knew we were about to face the biggest stress test of a global pandemic.
The European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. has stated that the GDPR worked incredibly well during Covid, and by having the principles in place to work with enabled us to accommodate the rapid changes we needed.
To an extent, the GDPR’s principles did allow us to cope with the transitions we had to make with homeworking and managing personal data. However, there were many bumps in the road, and the ICO and other EU regulators were often slow to provide guidance. Many organisations were left wondering if they were following the correct procedures when it came to collecting people’s Covid statuses.
Data transfers, specifically international data transfers, are a hot topic at the moment. Meta’s recent record fine for illegally transferring EU data to the US serves to highlight the challenges of international data flow for organisations. In addition, the subsequent fallout from the Schrems II ruling back in 2020 (which invalidated the EU-US Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework.), people are querying whether the GDPR’s chapter 5 needs to be ripped up and re-written.
When GDPR first drew breath, organisations could rely upon the Privacy Shield mechanism to legitimise data transfers to the US. Then came the Schrems II ruling in 2020.
Schrems II is the common term for the case against Facebook Ireland, brought forward by Maximilian Schrems, Austrian lawyer, and privacy activist.
In short, Schrems II invalidated the EU-US privacy shield – possibly the most important alteration to the EU privacy landscape since the GDPR. Since that ruling, the subsequent associated rulings have led to many pivots and required additional items such as transfer impact assessments (TIAs) and other supplementary measures. International data transfers have become a paperwork minefield.
Herr Schrems might argue these additional measures are not enough. They are merely papering over the cracks. So, what is the answer? There is a risk with leaving chapter 5 issues to the courts and not addressing them with hard and fast legislative change. Continuing piecemeal adjustments to the accepted international transfer framework in never-ending legal cases would also create further uncertainty. In turn, that would inevitably lead to additional expenses for organisations, as well as reduced protections for data subjects. Neither outcome is desirable.
After ten years of litigation and 3 court procedures against the Irish Data Protection Commission (DPC), Meta Ireland was issued a €1.2 bn fine on the 22nd of May for the transfer of EU user data to the United States. This is the largest GDPR fine to date and came on the week of the 5th anniversary of the law’s implementation.
Rob Masson, CEO of The DPO Centre asked the key question:
“What does this mean for the millions of EU organisations that rely on cloud services? Google, Amazon and Microsoft also rely upon the EU’s Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) and additional supplementary measures – as Facebook did – to legitimise transfers from the EU to the US. The expected solution appears to be the imminent replacement of the Privacy Shield transfer mechanism, however there is a high likelihood of this being invalidated due to the US being unwilling to compromise in respect of its’ mass surveillance laws.”
It appears we are about to enter a further period of EU to US data transfer turmoil.
Read the full story about the Meta fine.
Chapter 5 is one of the most rule-based parts of the GDPR. It states exactly what is needed for an international data transfer, in contrast to the rest of the GDPR, which is principle-based.
With the ongoing challenges for EU-US data transfers, especially since Schrems II and the Meta fine, there is now the danger of having silos of data in different countries with serious issues for data flow. The risk is economic isolation.
Chapter 5 seems at odds with the principles of GDPR
An important aspect of the GDPR was to protect personal data and enable data transfers for the global economy. Yet we are now in a position of having to work within even narrower parameters.
We need an overview at a governmental and political level. We need to ask what we want from our laws in this area. And how we can achieve successful international data transfers whilst protecting an individual’s privacy rights and freedoms?
Later this year, we may have more of an idea about how far the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. is going to diverge from the GDPR. The breakaway legislation is still not finalised, but it is edging closer.
There has been a constant threat of altering the UK’s approach to data protection by various government administrations. This not only endangers our adequacy status within the EU but would also undermine the majority of the benefits intended by the original legislation.
It could be argued there are few things that make compliance planning more difficult than uncertainty. The consistency of continuity with the GDPR post-Brexit did help when it came to conversations with organisations. Any change or pivots in certain areas will mean re-education.
Multi-national organisations processing data on EU residents will undoubtedly continue with the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). approach irrespective of any changes to UK legislation.
We could debate many other points about the GDPR over the past five years, and deep dive into so many other areas, but we will save those for another time.
The general conclusion we came to during our DPO Fireside Chat webinar is the GDPR has provided a steady framework for data protection and has mostly achieved what it set out to do. If the past five years have taught us anything, we can only prepare for what we currently know.
Organisations are best advised to create a culture with in-built data protection right from the start. And be ready and adaptable to change.
If you would like to discuss any of the points covered here, or if you would like to know how an outsourced service would work for you, please contact us here.
And if you would like to watch our GDPR 5th anniversary Fireside Chat, with all the above discussion points and more, please follow this link to the recorded webinar here.
Fill in your details below and we’ll get back to you as soon as possible