Preparing for the GDPR was a herculean effort for many. Now here we are, one year later, and the tide of GDPR fervor has ebbed, but not significantly receded – after all, achieving compliance is a marathon, not a sprint!
In a way that’s to be expected – establishing and reinforcing a strong culture of compliance is not a “one and done” effort, but an ongoing and organization-wide priority and push. In the months following the GDPR effective date, privacy professionals around the world continue to refine their breach response practices in the face of more enforcements, regulator guidance, and awareness about general best practices.
So now that we have a little distance and perspective from that fateful date of May 25th, 2018, what have been the lasting impacts of this regulation that was heralded as a sea-change in privacy law?
In terms of hard numbers, RADAR’s aggregated incident metadata reveals good news when it comes to how effectively best-in-breed privacy programs are managing breach notification under GDPR. Contrary to the frustration expressed by many EU regulators, RADAR’s Benchmarking data reveals that these organizations using an automated, consistent, and compliant incident risk assessment methodology are not over reporting to supervisory authorities and individuals. While most organizations are reporting a significant percentage of their incidents due to the lack of an effective and defensible risk mitigation and risk of harm assessment, RADAR is helping organizations avoid the risk of over reporting. Our metadata confirms that the majority of incidents (83%) can be sufficiently risk mitigated and properly risk assessed to keep them from hitting the risk or high-risk thresholds for notification under the GDPR. We credit this to the consistency, efficiency, and efficacy of RADAR’s automated multi-factor incident risk assessment and notification decision-support guidance.
Once the notification decision has been made, organizations are making mixed use of the so-called “one-stop-shop” when it comes to the question of lead or local supervisory authority. And given the broad definition of protected personal data under the GDPR, it makes sense that the types of data exposed under GDPR reported data breaches are typically items like name, postal address, date of birth, etc. – data elements that would be considered pretty mundane under U.S. laws.
Considering the influence of this regulation at a global scale, it’s clear the GDPR has served as a model for emerging privacy laws on the international stage. Unlike industry-led efforts promoting self-regulation and consumer choice, the GDPR established a government-led baseline for addressing growing privacy concerns around the globe. With broad definitions of personal data, accelerated notification timeline requirements, and severe penalties for noncompliance, the GDPR has signalled a clear directive that privacy is a fundamental human right. The regulation also asserts how hose rights must be honored by businesses that handle personal data of natural persons. To illustrate the GDPR’s influence on an international level, here are just a few examples from the last year:
- May 25, 2018: GDPR goes into effect
- June 28, 2018: The California Consumer Privacy Act is passed by the California State Legislature and signed into law, a watershed for U.S. privacy law inspired by GDPR.
- July 17, 2018: Japan and the EU agree to recognize each other’s data protection regimes as providing adequate protection of personal data
- August 14, 2018: Brazil approves General Data Protection Law, a comprehensive law that closely mirrors the GDPR
- November 1, 2018: Canada’s PIPEDA breach regulation took effect, drafted with a view to harmonizing with the requirements under GDPR.
- March 1, 2019: Singapore’s Data Protection Commission issues statement announcing plans to introduce mandatory breach notification regime
- March 28, 2019: Australian government officials announce they will implement new laws with tougher penalties for breaches.
In the U.S., multiple states are proposing initiatives similar to CCPA, which has been nicknamed by some as “GDPR Lite.” Organizations that underwent preparations for GDPR have cited the process as a helpful activity as they prepare for the CCPA effective date. And of course there is always the annual looming debate as to the prospect of passing a federal regulation. With so much political dysfunction and industry group disagreements, we are not likely to see the end of this debate anytime soon.
These flashpoint moments in our industry are opportunities to approach large scale initiatives like the GDPR as either another headache for your team, or as an opportunity to align your organization and ensure you are working together in lockstep, especially across privacy, security, and leadership stakeholder groups. An event like GDPR isn’t just an issue for the privacy team, it requires a comprehensive approach from the entire organization.
A little over a year ago, some organizations were looking to May 25th as a due date for GDPR compliance, a finish line for all their hard work. In reality, this was just the start of a new world order.