Technology is central to how we live our everyday lives in the world today. From the way we shop or monitor our health, to how we keep in touch with loved ones, it has enabled us to be more connected, more productive and more informed than ever before. Fueling this is a reliance upon substantial amounts of personal data, which has become such a critical component within modern business that it has itself become a commodity.
This pace of change in technology and its leveraging of personal data has significantly outpaced that of data privacy regulation, meaning that individuals can no longer be sure who has personal information on them, what it is used for or how well it is protected. Somewhat inevitably companies have not always got this right, with highly publicized data breaches and privacy scandals hitting the headlines this past year. This has contributed to the current ‘techlash’, as both regulators and end-user question the power held by technology giants.
Regulators have been working to keep up with the rapid pace of change. The most significant regulatory development at a global level was the introduction of European legislation in the form of the General Data Protection Regulation (GDPR). This came into effect in May 2018, with the aim of giving EU citizens more control of their personal data . Unlike most other regulations, GDPR explicitly has extra-territorial reach, meaning that any company which does business with EU citizens must be compliant. Many other countries including Canada, Argentina and Brazil, as well as the State of California, have recently introduced new legislation or toughened up on implementation, picking up on elements from the GDPR model.
Over this past year we have seen the introduction of GDPR as a catalyst for companies to clean house and update their interaction with personal data to ensure that it is fit for purpose. Reflecting the broad demands of the regulation, this work goes beyond just the IT department, extending into how the board oversees the issue, how on-going compliance is monitored by a Data Protection Officer (DPO), the culture among employees to prioritize data privacy and relationships with suppliers. But there are questions over how this is implemented in practice, with different governance structures offering a variety of risks and opportunities.
To better understand the challenge that the implementation of GDPR-consistent data privacy and security measures presents, we engaged with a group of 28 global companies from sectors we considered to handle significant amounts of EU citizens’ personal data within their business model, particularly those in the technology, pharmaceuticals, finance and consumer industries. As part of our engagement we requested to speak with either the company’s DPO directly, or someone with operational oversight of the area, to focus on what they had done to prepare for GDPR’s introduction, any impacts on its business model, what governance arrangements are in place to manage the risk, as well as any innovation in this area.
Engagement responses and findings
Given the sensitive nature of this topic, the level of access we were given within companies exceeded our expectations. We spoke to individuals directly responsible for data privacy in the majority of cases. Most conversations with companies were frank and open, with companies honestly presenting the progress that they had made, as well as their shortcomings. Our key findings are detailed below:
About half of the companies that we engaged with have established the requirements of GDPR as their global standard for data privacy across their entire business, with others generally opting to enforce the spirit of the regulation outside of their Europe operations without implementing more strenuous parts, such as the 72-hour breach notification procedure.
Given the scale of the task at hand and relatively short time frame, we were not surprised that only one company claimed to be ‘fully compliant’ by the time that GDPR had come into force. Nearly all companies reported having adopted a risk-based approach to achieving compliance, having completed the most material parts that posed the highest risk. The most common areas of work remaining were contracts with third-party suppliers and adapting legacy systems to allow for new features for which they were never designed, such as data deletion.
Implications for products and services
In general companies said that the more restrictive aspects of GDPR, such as requiring explicit consent and ensuring data minimization, had not prevented them from continuing to provide any of their existing core products or services, only adding to the cost of doing so. An outlier to this was one company who commented that it felt that it was at a disadvantage compared to their American counterparts, as there were restrictions on how they could further monetize customer data beyond agreed purposes.
Role of data protection officers (DPOs)
GDPR expects companies to have one or more designated Data Protection Officers (DPOs). DPOs are expected to operate on an independent basis, acting as the primary contact for regulators, and for individuals seeking information on how their data is being held or used.
Nearly every company we spoke with had appointed a senior figure to be responsible for data protection and privacy compliance, with an assigned group-level DPO taking this key position at only half of those that we spoke with. An equally popular choice of operating model was a ‘hub and spoke’ approach, whereby they appoint a centrally based Global Privacy Officer, into which regionally based DPOs would report.
In terms of meeting the requirements for the DPO to operate independently, but also report into highest management, most DPOs or privacy officers were based within the legal compliance or risk functions of the business. The most common reporting line was into either the General Counsel, Chief Compliance Officer or Chief Risk Officer, although at smaller companies they would often report directly into the CEO.