Three years have passed since the European Union’s General Data Protection Regulation (GDPR) entered into effect, but according to a recent Bloomberg Law survey, compliance challenges persist, principally due to the so-called GDPR ripple effect.
While compliance efforts are never—or at least, should not be―treated as a “check-the-box” exercise, the GDPR has triggered a proliferation of privacy laws worldwide, rendering the applicability of a given jurisdiction’s regime and an assessment of its divergence from the GDPR as the very first “box” for organizations to address. Recall that the California Consumer Privacy Act (CCPA) was enacted just one month after the GDPR came into force. With the subsequent enactment of comprehensive privacy measures from Brazil, New Zealand, Thailand, California (again), Virginia, Colorado, and elsewhere, compliance has become even more challenging for privacy professionals.
In light of this regulatory upheaval, we thought it was time to refocus our attention on the “granddaddy” of them all—yes, a grandparent at the age of three—to see how companies are faring, GDPR-wise.
Competition and Complexity
Bloomberg Law’s GDPR Compliance 2021 Survey, conducted in May, asked respondents to assess their organizations’ ongoing GDPR challenges. Unsurprisingly, respondents identified GDPR-inspired laws—competing regulations from other jurisdictions—as their top challenge. Three-quarters of respondents said that the growth of similar privacy laws has had an impact on their GDPR compliance efforts.
Keily Blair, who heads up the Cyber, Privacy & Data Innovation Group in Orrick’s London office, told us that while much legislation uses the GDPR as a benchmark, each national law reflects its own local nuances and practices. “When you add to this the complexity of complying with the emerging patchwork of state privacy legislation in the U.S.—which is only going to increase—it’s natural that this presents a challenge for organizations when designing and implementing global privacy programs,” said Blair.
Rohan Massey, who leads the Data, Privacy and Cybersecurity practice in the London office at Ropes & Gray, was also not surprised with the survey’s results. “The fact these measures are now being mirrored in other jurisdictions has created increasing complexity for those operating internationally,” he said.
Indeed, the complexity of the GDPR itself ranked a close second in the survey’s list of challenges, at 70%. While the 88-page law is unquestionably complex, we wondered whether most of the regulatory wrinkles would have been ironed out by now. Or at least ironed out enough to place complexity issues somewhere further down on the list of GDPR challenges.
Not necessarily, said Blair. She noted that, in legal terms, it’s still a relatively new law. “While there has been a plethora of guidance from national data protection authorities and the European Data Protection Board, the guidance is not always consistent, and we have relatively few regulatory and court decisions that address the very complex areas which organizations grapple with.”
Massey added that organizations are still “struggling to feel comfortable” that their efforts and approaches to risk will be accepted by regulators.
On a positive note, only 39% of respondents noted that securing buy-in on budget and resources is still a challenge. As privacy laws proliferate, that’s good news! It appears that organizations are finally recognizing privacy as a competitive differentiator that aligns with broader business objectives. Indeed, more than half of respondents (56%) noted that their organization has a defined budget for privacy and data security expenses.
Operationally speaking, nearly three-quarters of survey respondents said that integration of GDPR requirements over multiple systems has presented a hurdle to their organizations’ daily operations.
Massey explained to us that the greatest challenges have been in systems where personal data subject to the GDPR is pooled with data that is not. “Ensuring that data is correctly identified and that data subject rights can be fulfilled has caused many issues, prompting some organizations to delete large amounts of data to start over again with a clean slate,” he said.
Such actions, he opined, often result from a lack of understanding of the GDPR or an “uber-conservative attitude to risk.”
Blair cited data retention and minimization as a significant “compliance headache.” Gaining a clear understanding of the data lifecycle—what is processed, how it is processed, when it is shared, where it is stored, and when it is destroyed—and of how that lifecycle intersects with other legal and regulatory obligations is “a herculean effort that needs input from multiple stakeholders and departments,” she said.
It’s encouraging to see that very few respondents (only 10%) are experiencing difficulty with regulators and supervisory authorities.
“Good legislation should only require minimal regulatory intervention,” said Blair. “In our experience, U.K. and EU regulators and supervisory authorities are—for the most part—engaging positively with organizations who are subject to the GDPR,” she added.
Massey noted there have been relatively few major enforcement actions and mandatory audits to date, some of which could be attributable to the pandemic. Nevertheless, Massey commented that, in general, “authorities have been pragmatic in their assessments and in the application of the enforcement powers, particularly in relation to the power to impose large fines under the GDPR.”
Keep Calm and Carry On
While it will be interesting to see in a year or two whether survey responses will change, we doubt they will. Privacy laws will continue to proliferate, personal data will still be processed, and innovative technologies will be introduced.
“Compliance with the GDPR cannot be static,” Blair said. “Most companies will be on a continuous improvement journey when it comes to GDPR compliance.”
Additional survey responses are available in Bloomberg Law’s GDPR Compliance 2021 Report. Bloomberg Law subscribers can find related content on our In Focus: GDPR and our Surveys, Reports & Data Analysis pages as well as comparisons of the California Consumer Privacy Act and the California Privacy Rights Act.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content or click here to view the web version of this article.