GDPR’s Fourth Anniversary: Time to Celebrate, Commiserate or Learn?

By Bill Mew

Four years after it came into force, Bill Mew asks if the GDPR has worked out as expected? Has it achieved what it set out to do? What purpose does it now actually fulfill? And what lessons do we all need to learn?

A recent data privacy research report by CYTRIO’s uncovered the fact that 90% of companies are not fully compliant with US data privacy regulations, including CCPA and CPRA Data Subject Access Request (DSAR) requirements. Alarmingly, a further 95% of companies are using error-prone and time-consuming manual processes for GDPR DSAR requirements.

This confirms other such studies that have found that many companies are not compliant with key requirements either of the US or EU data privacy regulations. If so then what is the point in having them. As we ‘celebrate’ the fourth anniversary of the GDPR, we assess what its purpose was and how far this is from reality? We also outline the implications for you.

The Enforcers

Four years ago in May 2018 as GDPR first came into force, most of the headlines focused on the size of the potential fines. These can still be anything up to a maximum fine of €20m (about £18m) or 4% of annual global turnover (whichever is greater) for each infringement.

At a national level we saw local DPA’s such as the UK’s ICO issues big fines of £200m against British Airways (BA) and nearly £100m against hotel chain Marriott. This was followed by a series of representative actions, simpler to class action suits, such as the claim against EasyJet of £2,000 each for 9 million claimants – a potential total of £18bn, the largest such claim in UK legal history.

Soon however, successful challenges forced the ICO to slash the fines that it had levied on BA and Marriott by as much as 90%. In addition a pivotal test case against Google that had initially been upheld on appeal, went all the way to the UK Supreme Court where it was overturned, quashing a potentially massive wave of claims.

Meanwhile at a European level, responsibility for regulating BigTech fell largely to the Irish Data Protection Commission (DPC) as this is where most Facebook, Google and others have their European headquarters. A landmark case brought by privacy activist Max Schrems against Facebook was punted by the Irish DPC up to the Court of Justice of the European Union, where in July 2020 it was upheld, effectively undermining Privacy Shield, the data sharing agreement between the EU and US.

However rather than enforce the ruling, the Irish DPC dragged its heels, working with Facebook to seek to find a workaround. This led not only to a vote in the European Parliament sanctioning the Irish DPC’s inaction, but accusations of corruption. Action has still not been taken to enforce the Schrems ruling, which has wide implications for all EU/US data sharing, and despite evidence that Facebook and others are actively flouting GDPR, little action has been taken against BigTech.

Consequently the latest wave of digital regulation has reverted to central European enforcement, in order to prevent inaction by the Irish giving the tech giants a free pass. And while a new data sharing agreement between the EU and US has recently been announced, this is hollow, lacking either detail or legal merit.

And in the US, gridlock in congress has prevented any meaningful progress on federal privacy regulation, leaving it to states such as California to do their own thing.

  • Action: lack of progress on federal privacy regulation in the US and relative inaction on enforcement in critical areas of the EU should not be mistaken for a lack of regulatory intent. More regulations are emerging all the time and keeping ahead of it all and out of trouble is essential.

The Lawyers

Many law firms have bulked up considerably, hiring data privacy lawyers to assist clients in assuring that compliance with the regulations in each country. However, given the fact that the vast majority of companies are not compliant, what purpose do these lawyers serve?

External legal advisers are never going to understand your business as well as you do. Much of the advice that they therefore give tends to be formulaic, leading to a tick-box approach to compliance – something that almost all privacy experts warn against.

The real purpose of external legal advice is to cover yourself in the event of an incident. You can then show that you sought the advice of experts (and then applied it). This is about the best defense that most organizations can give in any regulatory hearing.

The reality is that if an incident does occur, one of the first things that your internal and external legal teams are going to do is ‘seek expert advice from council’ – go to the real legal experts. In the UK this means a senior QC with expertise in cyber and data law. This expert advice will be the basis for the best legal defense strategy.

  • Action: Don’t wait until the last minute to seek out the best QC. Do this now, ensure that your chosen expert is adequately briefed about your business, and get the best expert advice long before things go wrong?

The Defences

GDPR has never just been about how you process private information. It has always also been about how you manage, protect and secure it as well. Effective data management, as well as data protection and backups, have been essential from day one, and remain so today. It is the threat landscape that has changed.

As we covered in our recent article ‘Above Zero: Melting the Cyber-Threat Iceberg by Moving beyond Zero Trust’, the threat landscape is like an iceberg. Only the most obvious threats or attacks are visible. Most are not. Organizations are unlikely ever to be able to eliminate cyber risk, but there are measures that they can take to mitigate it.

This article explained why applying methodologies like Zero Trust are a great starting point, but you need to go a lot further. Likewise government schemes like ‘Cyber Essentials’ from the UK’s National Cyber Security Centre (NCSC), or similar frameworks from NIST or ISO, provide solid foundations – but are not enough on their own. A layered cybersecurity strategy is needed – one that includes reliable backups.

GDPR also mandates that you regularly assess and test the effectiveness of your processes. This not only means rehearsing your incident response plans, but also testing your backups to ensure that they are working effectively.

Most organizations now accept that complex hybrid environments are a reality these days that they need to learn to deal with. Typically these include data at rest and in transit between a wide variety of devices and locations, from the laptops of remote users to central multi-cloud and legacy systems and a proliferation of SaaS applications. Effectively managing and backing up all of this data is no simple task – unless of course you have the right tools for the job.

  • Action: a layered cybersecurity strategy is essential and constant vigilance is required to maintain it. This includes a level of crisis preparedness from incident response to back up and recovery planning. If you don’t get ahead of the game with the right tools to effectively manage and back up your data across your entire IT estate, then you’re not only going to find compliance an issue, but you’ll also be exposed if (or when) things go wrong.

The Imitators

GDPR has not only set a standard for data privacy that is recognised across the globe, but it has also spawned many similar regulations in other jurisdictions, as other markets either seek equivalence with GDPR, or attempt to refine it in some way or other. CCPA in California, POPI in South Africa, LGPD in Brazil and countless other regulations in other nations or US states – with more emerging all the time – all owe their genus to GDPR.

The fine balance to be struck between equivalence and improvement is particularly evident in the UK, which post-Brexit has promised to reform countless EU rules. The British were arguably the architects of GDPR, much of it being based on the UK’s own data protection rules and driven by leading British legal minds. So improvement is entirely possible, but it cannot be seen to undermine confidence and trust in the UK regime.

As Jakub Lewandowski, legal director and global data officer for Commvault recently explained: “Any increase in compliance and regulatory obligations raises development costs for digital businesses. There’s a fine balance between protecting data and stifling innovation, but ultimately the most important factor has to be building trust in our digital economy and relations.”

While there is definitely room for improvement, as well as opportunities to spur innovation, any reform needs to be measured. If it diverges too far from the EU’s GDPR then the UK could put its adequacy at risk and any loss of equivalence could create another barrier to trade with the EU, adding further cost and complications on top of Brexit, that firms can ill afford.

  • Action: retaining flexibility and agility in the way that you manage data will become a source of competitive advantage and will also be particularly essential in dealing with the evolving patchwork landscape of different privacy regulations.

The Answer

My personal mantra has always been seeking to strike the right balance between meaningful protection (digital ethics, privacy and cybersecurity) and the maximization of economic and social value (cloud, digital transformation and innovation). We cannot have meaningful protection without compliance and there won’t be widespread compliance without enforcement. In addition the enforcement needs to be:

  • Effective: with a meaningful threat of sanction for non-compliance – According to DLA Piper, a total of nearly 1.1 billion euro fines were handed out between January 2021 and January 2022 This represents total of 356 breach notifications a day and is a sevenfold increase on last year’s total;
  • Fair: with the rules being applied to BigTech firms as well as to the rest of us; and
  • Proactive: with whistleblowers able to report data misuse long before incidents occur, rather than action almost exclusively taken only after incidents have happened, largely as a result of breach notifications.

And on the flip side, if we are to maximize economic and social value then we need to minimize not only the cost of compliance, but also the barriers to innovation. In large part this can only be achieved with a level of regulatory harmonization. Given the ideological gulf that exists between the EU’s prioritization of privacy as a human right and the US’s prioritization of surveillance for national security, this will not be easy. It has already led to the demise of both Safe Harbor and Privacy Shield and will dog attempts to implement any replacement. At least we can seek as much harmony as possible on either side of this divide, with as much alignment as possible between the EU and UK versions of GDPR and with regulation at the federal level in the US to align the proliferation of state by state privacy laws.

Meaningful protection comes at a cost, but this does not mean that it needs to stifle innovation.

See how Commvault can help you meet your data compliance and regulatory obligations here https://www.commvault.com/data-compliance