Privacy Compliance 2.0

5 years ago, on May 25th 2018, the General Data Protection Regulation, one of the world’s key data protection laws, entered into force. Over the past years, both European and non-European organisations, have dived into compliance programs in an effort to stay away from GDPR’s hefty fines that can range up to %4 of the global annual turnover of an organisation. In the meantime, regulators have stepped up their staffing and expertise capacity. On the other hand, technological transformation enabled through more automated tools and outsourced (cloud) data storage has been steadily gaining businesses’ attention in an effort to reduce operational costs sometimes to the detriment of privacy.

One thing is very clear now: GDPR & privacy compliance has more depth and angles than originally anticipated, going beyond the privacy compliance projects that were initiated shortly after the release of GDPR.

Privacy Compliance 1.0 vs Privacy Compliance 2.0

In the period preceding 25 May 2018, most organisations have set up GDPR compliance/GDPR readiness task forces that were often supported by external experts. Certain interpretations of the GDPR were unclear at the time, and therefore most compliance efforts have focused on visible actions (such as appointing a DPO), obvious but often incomplete (such as starting company-wide records of processing activities and drafting privacy policies). However, 5 years later, the privacy domain has further matured with certain standard templates and models widely available at none to low costs, and plenty of guidelines from regulators and it is now clearer what constitutes “best practices” (ISO 27001) in terms of privacy compliance.

Between 2018 and 2022, there has been a significant increase in the level of awareness around the GDPR among European individuals, with citizen awareness numbers doubling from %20’s to %50’s[1]. Therefore, this phenomenon has led to more complaints, and hence, more investigations from regulators. The number of GDPR-originated fines throughout the years in the European Union has increased from 140 in 2019 to 478 in 2022, with all-time-highest record fines. The number of privacy investigations throughout the years in Belgium has increased from 70 in 2018 to 142 in 2021 as well as a significant rise in complaints towards the regulator[2].

However, when it comes to real and effective implementation, privacy compliance still remains a challenging job, often as a fragmented matter as professional staff in organisations often lack practical experience in how embedding GDPR rules in the day-to-day business and data governance programs of their organisations, privacy-focused roles are often understaffed and distributed across departments without proper connection and more importantly senior management is often insufficiently or even not involved in discussions on privacy compliance.

Embarking its experience in dealing with privacy compliance over the last 5 years (and beyond), Deloitte has detected “the most common pitfalls” and “focus points” in the next stage of privacy compliance:

• Data Protection Officers (“DPO”): DPOs are the key responsibles within an organization to monitor privacy compliance and practices. Deloitte observes that DPOs are generally appointed among an existing staff members, often with none to limited independence, lack of resources and lack of access to senior management. Most of the time, DPOs act as “firefighters” rather than a compliance responsible with the required autonomy. This is particularly dangerous if data protection authorities detect the lack of autonomy of a DPO as the autonomy is dictated by the GDPR.
• Record of Processing Activities (“RoPA”): A RoPA is an important tool to have an updated snapshot of all data processing activities performed by the organization, both for the DPO and for the Data Protection Authority (DPA).  More importantly, it allows the DPO to spot potential issues or situations of non-compliance. It is often those records regulators would look at first during an investigation. Generally, RoPAs are seen as a basic excel sheet, often lacking information about processing activities followed by vague explanations around legal grounds. Too often, they are not complete and not kept up to date.
• Privacy Policies and Notices: Most organisations have a privacy policy where they aim to inform data subjects relating to the processing of personal data within the organisation’s environment. Deloitte has observed during its engagements that privacy policies are often too legalistic, too long, contradicting themselves (contradictory approach towards purposes of data processing vs data attributes that are processed) and unacceptably generalist (not covering the why, how and when with respect to each phase of data processing including data transfers and processors).
• Trainings: GDPR’s first 5 years have seen an increase in efforts to train in-house staff on privacy compliance. However, the number of trainings have decreased over the years and both in-house staff and new hires lack the basic training on privacy compliance. However, many times these trainings still remain a theoretical and rather academic exercise, not yet bringing the cultural shift that GDPR actually requires for achieving staff’s effective compliance. The content of the trainings are generally not tailor-made to the specific business type and trainings are not followed up with an internal compliance exercise to measure rules’ actual integration in the daily practice.
• Data Protection Impact Assessments (“DPIA”):  A DPIA is required whenever the processing is likely to result in a high risk to the rights and freedoms of individuals (for example in case of large-scale profiling, processing of sensitive data, public area monitoring). However, organisations are often unaware of the regulatory obligations relating to DPIAs. DPIAs are mostly seen as “paperwork” before moving forward with business needs and there is a tendency to hide/minimize inherent risks.
• Vendor Management: GDPR requires all data controllers to ensure to set up a framework with their vendors relating to personal data handling. Both vendors and data controllers are generally unaware of what exactly is needed to be checked practically and what contractual arrangements shall be done. This causes significant compliance risks and increased responsibility over data breaches. Additionally, lifecycle control over vendors’ compliance in privacy management is often forgotten or ignored after the procurement stage.

Additionally, all the matters above have been subject to increased attention by the authorities in the EU and several high fines for each of the areas highlighted above have been issued. Therefore, organisations are advised to take a step back and embark on a new journey towards “effective and holistic privacy compliance”. A survey by Cisco cited by the Harvard Business Review found that 90% of consumers believe that the ways their data is treated reflect how they are treated as customers[3], therefore in fact, seeing privacy as a business branding opportunity can help shape the mindsets of companies dealing with personal data.

Given that privacy has evolved into a more profound and robust phase as outlined above half-way compliance remains a big risk for today’s organisations that are subject to GDPR and sophistication and permanent revision over privacy management structures and programs with the involvement of high management is required for most organisations.

Deloitte, thanks to its vast experience in dealing with privacy compliance postures and programs since GDPR’s enactment, can help organisations in mitigating all risks arising from privacy compliance by carrying profound and detailed privacy audits, providing concurrent and tailor-made privacy pieces of training, professionalizing DPO/privacy offices supported by privacy management tools and DPO-as-a-service frameworks. Recently, Deloitte has been appointed as an official partner of Europrivacy[4], being a first-recognised quality label by the EU regulator (EDPB) to both companies and consumers to ensure that allowing us to professionally advise and guides clients towards Europrivacy certification which is a quality label to both companies and consumers that personal data is being addressed in a sound and trustworthy manner.

_{[1] General Data Protection Regulation (GDPR) awareness for users in selected European countries in 2018 and 2022, Change in the awareness level of GDPR in Europe 2022 | Statista
[2] In Belgium, number of complaints received by the Belgian Data Protection Authority have increased from 685 in 2020 to 1928 in 2021.
[3] Do You Care About Privacy as Much as Your Customers Do?, HBR, https://hbr.org/2020/01/do-you-care-about-privacy-as-much-as-your-customers-do
[4] https://www.europrivacy.org/}