On May 31, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a white paper on GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges (the “White Paper”). In addition, CIPL submitted the White Paper along with a separate response to the European Commission’s questionnaire to prepare for the June 2019 stocktaking exercise on the application of the EU General Data Protection Regulation (“GDPR”).
The White Paper outlines the benefits that organizations have experienced over the past year as a result of their GDPR compliance efforts. It also describes the challenges and unfulfilled promises of the GDPR, identifying where organizations feel the GDPR has not lived up to its objectives and has presented practical difficulties that need to be addressed.
The White Paper is based on CIPL’s own observations, a survey of CIPL Member experiences with the GDPR and formal discussions through different forums, including CIPL’s 2019 Annual Executive Retreat.
In terms of key positive impacts, over the past year the GDPR has:
- increased awareness and tackling of privacy issues at top management and board level;
- shifted the view of privacy law from a compliance obligation to a top business issue and business enabler linked to organizations’ data strategy and digital transformation;
- improved organizations’ ability to build and implement accountable privacy management programs and to demonstrate accountability internally and externally;
- driven organizations to include an identified expert/team to oversee the privacy management program, implementation of GDPR requirements and ongoing compliance;
- lowered data protection liability risk and supported internal business decisions;
- provided a competitive advantage in B2B negotiations and improved the ability of organizations to identify trustworthy service providers;
- strengthened organizations’ resilience to breaches and prepared them to respond more efficiently; and
- broke organizational silos by facilitating a collaborative approach between different functions and leadership (e.g., between CDO, CIO, CISO, CMO, DPO, legal, engineering, etc.).
In terms of challenges and unfulfilled promises, over the past year the:
- GDPR has failed to solve the fragmented privacy landscape across Europe;
- GDPR has been the subject of rulings by non-data protection regulators (e.g., competition authorities and consumer bodies) who are making decisions regarding data protection issues, where the EU DPAs should be the competent authorities;
- benefits of the One-Stop-Shop mechanism have not been realized;
- complexity of the GDPR’s rules on territorial scope has generated confusion for organizations operating in the international digital ecosystem;
- GDPR has been undermined as the single and uniform set of rules for data protection across Europe due to inconsistencies in sectoral laws regulating data use;
- effective oversight and enforcement of DPAs has been obstructed by the GDPR requirement mandating that DPAs must handle every complaint they receive, regardless of the risk level involved;
- GDPR does not appear to be fully responsive and adaptive to emerging technologies (e.g., blockchain, developing biotechnology or artificial intelligence applications);
- GDPR has not realized its full promise with respect to the risk-based approach as DPAs have not yet promoted a clear and consistent approach to assessing risk;
- EDPB and DPAs have not yet developed the framework to realize the full potential of GDPR certifications and codes of conduct as tools to demonstrate accountability or transfer tools, and have not expanded upon or improved existing cross-border data transfer mechanisms; and
- BCR’s true nature – being a form of certification – has not been recognized and thus not been leveraged for important global interoperability purposes.
To read more about the positive impacts and benefits, as well as the challenges and unfulfilled promises of the GDPR outlined above, please see the full paper.