"Headline-hitting fines aside, the news isn’t all bad. For financial firms that Bovill talks to, implementing GDPR has often been a worthwhile exercise."
A year after General Data Protection Regulation went live, it's a good moment to take stock. So, where have we got to and what have we learned?
It would be too easy to focus on what has gone wrong. Hefty penalties levied by regulators have already made headlines: Google, for example, was fined a record €50 million by the French data protection authority over its lack of transparency in personalised advertising.
Nor has the long arm of data regulation been targeted solely at the private sector. In May 2019, HMRC came under investigation for an alleged failure to gain explicit consent from individuals about their biometric data. Indeed, it’s likely that these fines are the first of many.
However, headline-hitting fines aside, the news isn’t all bad. For financial firms that Bovill talks to, implementing GDPR has often been a worthwhile exercise.
It’s been encouraging to see how hard many firms have worked to ensure adequate resourcing for their GDPR project teams, with strong buy-in from senior management and from their whole organisations.
By really engaging with GDPR, firms have found opportunities to improve their operations from an internal point of view as well. For example, some discovered that they were holding superfluous personal data, and have to understand what they really need and how they can best collect and maintain that information.
Firms have often been successful, too, in incorporating data protection into their day-to-day product governance activities, rather than simply treating it as a one-off exercise.
In addition, firms have learned that there’s more help available than they realised. The Information Commissioner’s Office website, for example, is a goldmine of comprehensible guidance for complying with the new regulation.
Since GDPR came into force, we have also seen better awareness from the general public about their data rights, and specifically about the importance of their privacy. Respect for this awareness is reflected in recent advertising by tech companies; one notable example is Apple’s recently launched ‘Privacy Preserving Ad Click Attribution’ feature, which aims to limit the amount of identifiable information about a web user available to advertisers.
Room to improve
If the picture is so rosy, why have some organisations run into trouble?
The most common pitfall has been underestimating the scale of what needs to be done to fully comply. Many firms, particularly large and well-established ones, learned that the administrative burden of achieving compliance was bigger than expected, not least because of the large volumes of personal data they were holding. Indeed, the transition has often been easier for smaller and newer firms, where most administrative work is done online with only a minimal paper footprint.
Some firms found they needed to change attitudes to personal data. To achieve this, many have provided staff with education, highlighting the fact that data belongs to individuals rather than to the firm – even when consent for use has been given. In fact, consent isn’t necessarily the best lawful basis for using data, according to the various options the regulation gives us.
At an international level, cross-border regulatory conflict often accompanies the introduction of new rules. It therefore comes as little surprise that the US Securities and Exchange Commission (SEC) is currently holding up registrations of EU-based investment advisers, on the grounds that GDPR could be used as an excuse for non-cooperation with SEC investigations.
Looking back – and forward
It’s been a momentous year, with a lot of learning points. On balance, we feel GDPR has had a beneficial effect for firms as well as data owners. The industry has taken an important step forward by building its awareness of the need to protect data.
There are still obstacles to overcome – not least, the potential effects of Brexit on data protection. Could firms operating in the EU still share data with UK subsidiaries, for example?
These uncertainties can’t be resolved immediately. What firms can do now is to make sure that they start from a strong foundation, with GDPR compliance implemented correctly and running smoothly. Bovill is more than happy to help, for example by checking that your processes are up to scratch or carrying out a more comprehensive GDPR health check.