5 years ago, on May 25th 2018, the General Data Protection Regulation, one of the world’s key data protection laws, entered into force. Over the past years, both European and non-European organisations, have dived into compliance programs in an effort to stay away from GDPR’s hefty fines that can range up to %4 of the global annual turnover of an organisation. In the meantime, regulators have stepped up their staffing and expertise capacity. On the other hand, technological transformation enabled through more automated tools and outsourced (cloud) data storage has been steadily gaining businesses’ attention in an effort to reduce operational costs sometimes to the detriment of privacy.
One thing is very clear now: GDPR & privacy compliance has more depth and angles than originally anticipated, going beyond the privacy compliance projects that were initiated shortly after the release of GDPR.
Privacy Compliance 1.0 vs Privacy Compliance 2.0
In the period preceding 25 May 2018, most organisations have set up GDPR compliance/GDPR readiness task forces that were often supported by external experts. Certain interpretations of the GDPR were unclear at the time, and therefore most compliance efforts have focused on visible actions (such as appointing a DPO), obvious but often incomplete (such as starting company-wide records of processing activities and drafting privacy policies). However, 5 years later, the privacy domain has further matured with certain standard templates and models widely available at none to low costs, and plenty of guidelines from regulators and it is now clearer what constitutes “best practices” (ISO 27001) in terms of privacy compliance.
Between 2018 and 2022, there has been a significant increase in the level of awareness around the GDPR among European individuals, with citizen awareness numbers doubling from %20’s to %50’s[1]. Therefore, this phenomenon has led to more complaints, and hence, more investigations from regulators. The number of GDPR-originated fines throughout the years in the European Union has increased from 140 in 2019 to 478 in 2022, with all-time-highest record fines. The number of privacy investigations throughout the years in Belgium has increased from 70 in 2018 to 142 in 2021 as well as a significant rise in complaints towards the regulator[2].
However, when it comes to real and effective implementation, privacy compliance still remains a challenging job, often as a fragmented matter as professional staff in organisations often lack practical experience in how embedding GDPR rules in the day-to-day business and data governance programs of their organisations, privacy-focused roles are often understaffed and distributed across departments without proper connection and more importantly senior management is often insufficiently or even not involved in discussions on privacy compliance.
Embarking its experience in dealing with privacy compliance over the last 5 years (and beyond), Deloitte has detected “the most common pitfalls” and “focus points” in the next stage of privacy compliance:
Additionally, all the matters above have been subject to increased attention by the authorities in the EU and several high fines for each of the areas highlighted above have been issued. Therefore, organisations are advised to take a step back and embark on a new journey towards “effective and holistic privacy compliance”. A survey by Cisco cited by the Harvard Business Review found that 90% of consumers believe that the ways their data is treated reflect how they are treated as customers[3], therefore in fact, seeing privacy as a business branding opportunity can help shape the mindsets of companies dealing with personal data.
Given that privacy has evolved into a more profound and robust phase as outlined above half-way compliance remains a big risk for today’s organisations that are subject to GDPR and sophistication and permanent revision over privacy management structures and programs with the involvement of high management is required for most organisations.
Deloitte, thanks to its vast experience in dealing with privacy compliance postures and programs since GDPR’s enactment, can help organisations in mitigating all risks arising from privacy compliance by carrying profound and detailed privacy audits, providing concurrent and tailor-made privacy pieces of training, professionalizing DPO/privacy offices supported by privacy management tools and DPO-as-a-service frameworks. Recently, Deloitte has been appointed as an official partner of Europrivacy[4], being a first-recognised quality label by the EU regulator (EDPB) to both companies and consumers to ensure that allowing us to professionally advise and guides clients towards Europrivacy certification which is a quality label to both companies and consumers that personal data is being addressed in a sound and trustworthy manner.
[1] General Data Protection Regulation (GDPR) awareness for users in selected European countries in 2018 and 2022, Change in the awareness level of GDPR in Europe 2022 | Statista
[2] In Belgium, number of complaints received by the Belgian Data Protection Authority have increased from 685 in 2020 to 1928 in 2021.
[3] Do You Care About Privacy as Much as Your Customers Do?, HBR, https://hbr.org/2020/01/do-you-care-about-privacy-as-much-as-your-customers-do
[4] https://www.europrivacy.org/