On a first day packed with fascinating insight at PrivSec Global, experts explored lessons that enterprise organisations have learned from the first three years of the GDPR.
Andreea Lisievici, Head of Data Protection Compliance, Volvo Car Corporation, said:
“As GDPR has evolved, some companies have realised that they have implemented the regulations incorrectly. After GDPR, companies understood that it’s here to stay. It’s not a temporary project.
In terms of maturity, after 3+ years, it’s much more difficult to get away with non-compliance. Consumers are much more aware of their rights and of the core fact that companies need to protect their privacy and that they need to configure their products and services in a way that supports privacy-by-design.”
Ian Evans, Managing Director, EMEA, OneTrust, said:
“From the vendors’ side, we’ve helped 1000s of companies to figure out their journey. While the GDPR is fairly rigid in terms of its rules, risk appetite, industry of business etc. will influence implementation.
I think there’s a huge amount that has happened in three years since GDPR began, it’s been a phenomenally active time and the landscape just looks like it’s getting increasingly complicated.
Beatriz Ruiz-Beato, EMEA Data Protection Officer, NEC Europe Ltd, then underlined how the GDPR is not the only law to be driving the international conversation, but has influenced many other laws.
The question was then posed: How can organisations implement a global privacy framework? Should we continue to use the GDPR as a gold standard or benchmark?
CIPP/E, Partner & Practice Group Coordinator - Technology, Sourcing and Privacy, K&L Gates, said:
“We’re seeing different frameworks that are similar substantially, but are not necessarily overlapping. At the same time, companies would like to have one single privacy framework to rule everything, and it’s getting increasingly complex to have one streamlined programme.”
Andreea Lisievici said:
“It’s tempting to align with the strictest requirements, but there are practical issues with this. Often, it’s difficult to figure out what the strictest requirements are. For instance, the Brazilian data protection framework has ten bases for compliant data use, whereas the GDPR has six.
“There are many practical consequences that bring difficulty to having a global take on data protection. When a company has a global product or service launch, localisation of laws has to apply. This can’t be done without a starting point which needs to be adapted to fit the market where the launch takes place. It’s very likely that different data protection suites will apply and overlap in the same places around the world.”
Will we see a US federal law?
Andreea Lisievici said:
“We were surprised by how the CCPA came through, and I think there’s a lot of compliance in the US to the GDPR already, driven by case law and fines. I don’t really know is my real answer, because it gets very political very quickly. Currently the GDPR is being used as a benchmark, but in terms of employment law across Europe, it’s different in every country. I think we’re going to see this derogational impact.”
Beatriz Ruiz-Beato asked:
“In terms of enforcement, there has been criticism of certain DPAs who have failed to enforce action against the tech companies. Is the one-stop-shop mechanism working?”
Claude-Etienne Armingaud said:
“I don’t necessarily agree with the question because the big tech giants have been fined. However, maybe Ireland has been too lax with the tech firms established there. I think the one-stop-shop is something that the supervisory authorities are learning about, but it’s a process. There are discrepancies between how various member states are enforcing GDPR. ”
Andreea Lisievici said:
”I think the one-stop-shop can be improved. I think the idea isn’t bad – this is a regulation that needs to be uniformly enforced. I don’t know if having a single DPA at EU level would be any sort of solution to this. I think the biggest causes for delays is that the DPAs are not resourced and staffed appropriately.”
“They don’t have enough technical people – most DPAs have one or two technical specialists, and we want enforcement against big tech, which is just not possible.”
One Trust’s Ian Evans, said:
“Sitting back and waiting for change is the wrong thing to do. We may have revisions to the GDPR but it’s here to stay; it’s disruptive and it’s a constant change. We have to be ready on the research side in order to fine tune our internal frameworks. I don’t think we can ever slow down in terms of ensuring compliance. We need to be proactive in making sure we know what to do to comply.”