On the three year anniversary of GDPR coming into force, VinciWorks hosted a webinar to look at the last three years of GDPR. We explored the effect the regulation has had on the way we collect and process data and discussed what we can expect in the next 12 months.
During the webinar we shared a conversation between our Director of Learning and Content Nick Henderson and Richard Hogg, who is the global Information Governance Director for White & Case LLP. Hogg, who has 20 years of global experience in the field, is responsible for global information governance across the firm. He previously worked at IBM, where he played a critical role in their journey to preparation for GDPR, and he speaks regularly on topics of privacy and information governance. Richard shared his expert perspective on GDPR and his views on the future of data protection.
In this blog, we’ll share with you some of the insights from that conversation. Below are some of the questions we asked Richard and a summary of his answers.
What lessons can we learn from recent data protection fines and some recent cases?
- Large fines and jumps in fines: In the last year, privacy penalties in Europe under GDPR jumped 40%, and there was a 50% increase in fines from Italian and German regulators, coming to a total of €160 million. The largest fine was a 50 million Euro fine to Google from the French privacy regulator.
- Most affected sectors and increase in data protection notifications: The sectors most impacted and fined have been retail, hospitality, telecoms and energy. There has also been a massive increase in data protection notifications that have been raised.
- It’s just the beginning: Analysts in the privacy and regulatory spaces think that regulators, especially in Europe, have only just begun. Particularly regarding large cases around the large data organisations and software and service vendors, Hogg thinks it’s safe to assume that it’s really early days and that there is still a low level of all of us exercising our fundamental privacy rights. Data subjects are yet to get a big wake-up call to what their rights are, and it’s likely we’ll see more big cases and fines coming.
- The EU is going faster: It is the case that the EU is going much faster and farther than the ICO in the UK at this point, just because of the momentum and the spread of 27 regulators now in Europe, compared to one single UK regulator.
What is the effect of Brexit on GDPR?
- Requirements are pretty similar: On a simple level, If you have customers in the UK, GDPR no longer applies to them because they’re not in Europe. But the UK put its own Data Protection Act in place, so there are very similar requirements with regard to handling personal data. So basically you need to apply and meet the same privacy controls obligations as under GDPR, just under a different regulation.
What about US GDPR? Is it radically different?
- No, very similar. There’s no fundamental difference.
What can you say about the global impact of GDPR?
- Spurred momentum: The GDPR put momentum behind privacy regulations globally. It wasn’t the first privacy regulation but it was the first one with real teeth that bite. Suddenly there are real penalties for failing to meet data regulations.
- Taking it even further: Some countries have had privacy regulations for over a decade, but GDPR has really encouraged enforcement and shown the way for many countries to go even further. For example, in California, there’s a wider scope now of what’s considered personal data that is beyond the scope of GDPR: now it’s not just information about the person that’s considered personal data but also the information around your household and material effects, like the data around your smart car. And some countries like India that are still drafting privacy regulations are taking it further to include data residency requirements, so the personal data of those in India needs to remain in the country as well as meeting privacy regulations. You have to be on top of many details as part of a holistic information governance program.
Data protection and the pandemic: What does data-protection best practice look like right now, when some are working from the office and some are still working from home?
- Know your data: You need to know where your data is and what to give to regulators. Everyone that could be asked should have their data map, their records of processing and their data register. This means knowing what is the data in the business, down to the categories and types, as well as why you have it and what you are doing with it. If you do you’ll be in good shape to address any regulatory queries or investigators.
- Stay on top of obligations: It’s also important to be on top of your data privacy obligations. Wherever people are working, i.e. home or office, and on whatever devices, and wherever in the world they’re based it’s important to make sure they’re annually trained and refreshed on the fundamentals of personal data, and the importance of doing the right thing with data that’s in our possession. Workers should also know where to go if they have a query.
- Use and store data correctly: It’s important to make sure staff are storing and using data correctly, in corporate or approved business repositories and services, and not on their own personal online storage or hard drives.
Hogg stressed the need to have fundamental data controls in place, regardless of the devices and tools that staff are using.
What is the future of data protection, what are the next big things to come?
- More transparency, higher consumer expectations: Hogg thinks we’ll see more transparency for consumers and citizens in every country, such that people will get a clearer sense of what data is actually being collected and what any given service or business is doing with the information. There are SAR (subject access request) forms today and you can get some of that information, but Hogg says that soon there will be more of a panacea of general data privacy expectations regardless of what country you’re in.
- Some have already begun: Some platforms are doing more already. For example, Apple have their “privacy nutrition labels.”
- It’s a two-way street: Vendors and legislators will be doing more enforcement and encouraging more transparency, but customers will also have to do more to exercise their rights to keep up that expectation of transparency.
Will the EU decide that Britain’s regulations are adequate, or not?
Hogg says that he doesn’t see any kind of major disruption at this point, but he does think that we need clear international rules for data transfer, including a clear understanding of what’s adequate as well as the vehicles for moving data around. He thinks it’s important to get to a level, transparent playing field in terms of global data governance and rules for transfers.
VinciWorks’ complete GDPR solution
GDPR compliance should involve the entire organisation, rather than only specific departments that are deemed high risk. VinciWorks’ GDPR compliance solution is a one-stop-shop for complete company-wide compliance. Our suite of GDPR courses ensures that all staff are trained appropriately via interactive, customisable courses. Whether staff are well–versed in GDPR or require in-depth onboarding training, we have you covered.We also offer a centralised GDPR reporting solution that allows organisations to create, track and automate all data protection registers, such as processing activities, data protection impact assessments and subject access requests.