GDPR One-Year Mark: Lessons Learned
The European Union’s General Data Protection Regulation (GDPR) continues to challenge businesses of all sizes worldwide, creating new concerns and responsibilities for the security and legal teams charged with ensuring data privacy compliance. Park IP Translations, a Welocalize company, looks at GDPR one year in and shares lessons learned and what lies ahead.
Create a Privacy Champion and Team
In an interview with CorporateCounsel, Anna Gassot, a privacy associate at Fieldfisher and former in-house counsel, said legal departments need to form teams involving more than just legal. She suggests that legal appoint “privacy champions” in other impacted departments, such as IT or human relations, which deals with sensitive personal data. The appointed representative should be responsible for bringing new products, procedures or concerns to legal to collaborate and ensure privacy standards are met.
It’s A Journey, Not A Destination
Despite the concentration of activity leading up to 25 May 2018, many emphasize GDPR is a long-term, ongoing commitment to compliance.
“The 25th [of May] became a singular point in time, but it’s a milestone, not the end,” said Chris Swarbrick, Head of Technology at Omnicom Media Group Programmatic UK, in an interview with CMO. “It’s an evolution, as people continue to learn and understand what the relationships will look like. There are multiple nuances, and it’s going to take a while to learn all of them.”
GDPR Enforcement Varies by Country
At this year’s RSA Conference, security expert Ariel Silverstone reported that, as of the end of January 2019, there were 41,000 breaches reported under GDPR that fell within the 72-hour notification window. Additionally, Silverstone noted that while GDPR involves all 28 countries of the EU, variations in how each country is implementing the law mean companies could face different penalties. For instance, he described that Germany’s interpretation of the law makes a violation nearly a criminal case, while other nations have been reducing fines.
GDPR is only one compliance policy. Experts point out that GDPR will help global organizations be better prepared for other forthcoming compliance regulations, including the California Consumer Privacy Act, which adheres to some of the same principals as GDPR and comes into effect 1 January 2020.
ICYMI: Read our original post on GDPR compliance.