Alex Hollis, GRC Practice Director at SureCloud reports:
In reviewing web trends last year we can see a considerable spike building towards the May deadline then falling away sharply, by August 2018 the number of searches for GDPR has dropped back to the same level as two years prior. The experts within the space predicted that there would be many fines with the German state regulators and French agency, CNIL, leading the way. It was also anticipated that US tier-1 or tier-2 technology firms would be under investigation. The prediction has come true with lots of activity from these regulators with over 100 fines to date and at the start of this year with Google receiving a massive €50 million penalty and investigations ongoing into YouTube with a potential fine of €3.87bn. There have also been over 60,000 data breach notifications reported to the regulators, the penalties and sanctions for these will likely be still to come.
Within organizations, the predictions have not been as accurate. Despite the initial rush of companies to appoint a DPO, train staff, change processes and purchase tooling, much of the energy leading up to the deadline has dissipated, and the predicted scare of the fines has not been as effective. The initial reaction from most companies was to update privacy policies and update supplier contracts, which translated to none of the intended effects of the regulation. Organizations who went further became acutely aware of the mountain of data they hold and retain with a ‘just-in-case’ attitude. The task of unpicking decades of data, while also adapting to change in the business, determining the source, the method of consent, correct retention, and lawful processing feels like a never-ending one. It would be fair to say most companies are working towards being compliant; however, without the pressure, most are becoming worryingly comfortable in the ‘working towards compliance’ state.
There are some exceptions to this, with companies who have recognized the spirit of the regulation and have huge leaps in the maturity of their privacy programs. They are not only moving close to compliance but are also much more transparent and knowledgeable with how they are handling data, with some even identifying efficiencies and opportunities through this exercise.
The role of the data subject has also not been embraced as predicted. GDPR was also a move to ensuring there is more value placed by the individual on how their data is used. While there are many disgruntled people, who have wielded GDPR as a method of attacking companies with whom they hold a grudge, the shift for respecting our data privacy has not been realized. Most website users have been freely clicking the privacy notices without any change to their appreciation of how their data is being used. The regulators have responded to this by criticizing that websites are not affording users the option to ‘opt-out.’ This challenge rocks the very foundations of the internet and ad-revenues and perhaps will force more of a change.
The conversations I have had in the US is that EU citizen data is treated as a separate privacy problem, but that view is going to be challenged with the California Consumer Privacy Act coming into effect in 2020. It seems governments recognize the need for the regulation and will increase the pressure globally.
As we move into 2019, there will be more fines from the regulators to come. The penalties against Google will be fought out through various legal processes and are unlikely to result in any casualties and as such won’t create the desired motivation. The regulators may then move their focus to mid-tier organizations, which are not as well-resourced to fight and likely haven’t taken as many steps around privacy. As such the impact of the fines will be more dramatic. Many comparisons have been drawn with Sarbanes Oxley, and it wasn’t until people started going to prison that companies and more importantly the people in those roles began paying attention. Similarly, with GDPR the fines need to generate the impact to motivate.