GDPR One Year Later: What We’ve Learnt So Far

On May 25, companies that process the personal data of EU residents will mark the first anniversary of the enforcement of the General Data Protection Regulation (GDPR). The two years that preceded the 2018 enforcement date saw an unprecedented scramble by companies examining and altering their practices to try to comply with GDPR and avoid a potential fine of up to 4 percent of global revenues.

Over the last twelve months, that scramble has given way to a more cautious and deliberate pace as regulators develop their process for reviewing the hundreds of thousands of complaints that have already been lodged. To date, there have been a relatively small number of enforcement actions, resulting in relatively low fines, as regulators get their arms around GDPR and the most effective ways to enforce it.

At a roundtable discussion earlier this month at the International Association of Privacy Professionals’ Global Privacy Summit in Washington D.C., an annual gathering of 4,000 data privacy professionals from around the world, Irish Data Protection Commission Helen Dixon, in conversation with UK Information Commission Elizabeth Denham and European Data Protection Board Chair Andrea Jelinek, stressed that investigations take a minimum of six months.

In the lifecycle of a query, regulators must first determine if, on its face, a complaint from an EU resident is relevant and rises to the level of a potential GDPR violation. Many of the hundreds of thousands of complaints received by data protection authorities over the last year have been simple requests to opt-out of advertising, which is not covered by the regulation. In cases of valid complaints, regulators have then needed to educate themselves better on the technology in question, which naturally involves contacting the companies that are subjects of the complaints to solicit more information.

A back-and-forth between regulators and companies is also serving as a means for resolving complaints, as Commissioner Dixon emphasized a preference to use “carrots” over “sticks.” This approach echoes comments Dixon made last year about how fines are not regulators’ only tool in their toolbox. The immediate lesson for companies is that engagement with regulators can result in much better outcomes than avoidance would.

Putting investigations aside, GDPR has also driven benefits for EU consumers as companies have stepped up their efforts to educate the public on their data practices. The establishment of mechanisms for access, rectification, and deletion requests has given literally millions of people an easy way to better control the use of their personal data. And the rights given to EU consumers have a downstream effect on many non-EU consumers who benefit from enhanced practices as companies adopt a highest-common-denominator approach to data privacy.

In the absence of large headlines about closed investigations that result in enormous fines, one of the questions about GDPR now is whether companies will become complacent and downscale their privacy programs. Any retraction is inherently risky, as stale privacy impact assessments or outdated inventories result in incomplete records of processing activities.

And incomplete records of processing activities are an obvious sign to regulators that maintenance of a privacy program is lacking and likely deserving of a closer look. Another major question is whether companies’ claims of compliance will be vetted by third parties or will stand unchallenged until or unless regulators come calling and are not satisfied with what they see.

GDPR is also setting an example for enhanced privacy laws in the United States. The California Consumer Privacy Act (CCPA), which is still taking shape, contains similarities with GDPR, including providing Californians with rights to access personal data collected about them by companies covered under the law. However, CCPA may go further than GDPR by eventually allowing a private right of action that could result in privacy class-action lawsuits against companies that violate the law.

California is not alone, as other states are putting lessons learned from GDPR into legislation that could develop into a contradictory, burdensome patchwork for companies to follow. A potential outcome could be the passage of federal privacy legislation, which would standardize requirements, but is unlikely to become law prior to various state laws coming into force. The result in the meantime is almost certainly to include consumer confusion about their rights, companies’ responsibilities, enforcement, and education.

It was said that the 1995 Data Protection Directive, which preceded GDPR, was still being interpreted 23 years later, up until it was replaced by the regulation. GDPR is in its infancy and undoubtedly there will be changes in its interpretation as we move forward. However, one thing that is clear on this first anniversary of enforcement is that GDPR has already dramatically shaped the approach that thousands of companies take to handling data. Moreover, as the privacy landscape and the regulations governing it evolve, new questions and approaches to data privacy will continue to arise worldwide.