Data Protection Regulations: Mess or success?
Deborah Dillon
Data Privacy Lead
Janine Skinner
Group security in North America
Posted on: 28 January 2020
For International Data Protection Day, we asked three questions to Deborah and Janine, our data protection experts in the UK and the US to tell us more about their experience since the General Data Protection Regulations (GDPR) and the California Consumer Privacy Act (CCPA) came into force respectively in May 2019 and January 2020. The main critical challenge being to set the right balance to "enjoy digital services as well as being the master of your own privay" as Michael Mingers stated in his last blog. Here are their answers!
Deborah, it's been about 600 days since GDPR came into force - so, mess or success?
Deborah Dillon: GDPR was supposed to mark a major milestone in helping EU citizens regain control over their digital lives, by enhancing their privacy tights in order to exert control over what companies around the world do with their data. Yet, like any legislation dealing with technology, in the end, the legislation that was passed was so watered down and so strongly supportive of technology companies that it actually did far more to help “big tech” than it did to help the ordinary citizen. One example of this is Facebook. As Facebook has reminded us again and again and again over the past two years, even the strictest and most rigorously worded sections of GDPR have been liberally interpreted by the companies they impact. Facebook, for example, took two months to notify customers after one breach, claiming it was still in compliance with GDPR’s 72-hour notification rule because the company believes it has the right to determine when the 72-hour clock begins. As caselaw is gathered at a legal level, privacy professionals are watching and waiting to see what happens next in terms of the big tech giants.
Janine, California Consumer Privacy Act is really new, but what would you say: a mess or success?
Janine Skinner: I would say it is a bit of mess right now. The law went into effect on January 1st 2020, the major problem is there are many parts that are still not completed and we are waiting to know what we need to do to be compliant with the law or get further explanations on sections and definitions. Currently we are waiting for the Attorney General of California to explain the open items, which could happen anytime between now and July 1st 2020. That being said the parts of the law that are outlined and defined have been completed and Atos is in compliance.
Back in 2019, what was data privacy's hottest issue in your market?
Janine Skinner: Preparing for the California Consumer Privacy Act and monitoring the status of other states implementing their own Privacy Laws. Thankfully since Atos decided that our Global Policy would be to implement GDPR protections and standards to all countries and accounts we were better prepared to meet the new challenge.
Deborah Dillon: Yes, GDPR was definitely the hottest topic! The most pressing subject in the UK has been what to do with non GDPR compliant legacy data. Phase 1 of previous GDPR compliance had been implemented by organizations prior to the implementation of GDPR, this included a review of personal data flows, the introduction of new policies and procedures, the introduction of data privacy by design and the data privacy impact assessments. Any organization with a good data privacy officer, then turned to Phase 2 of GDPR to look at unstructured data and what the size of privacy risk this brought their company. As organizations look to begin their digital transformation, they must now address the risks posed by legacy unstructured personal data. They must risk assess it and decide whether to anonymize it, mask it or delete it. This decision must be documented and signed off at a senior level. The decision to delete is not without its own business risks.
In 2020, what do you think will be the main forces shaping the data privacy landscape in your market?
Janine Skinner: Currently, in the USA the number one concern is that each state is looking to enact their own Privacy Laws, which means we could have 50 potential laws to comply with, which will be no easy task. Congress is currently looking into a Federal law to help limit it to one law for all 50 states with minor difference determined by each state. In November of 2019 both Democrats and Republicans submitted a possible framework/outline for a Federal Data Privacy law. There currently is no timeline for when we would see a Federal Law passed and implemented. Meanwhile the Data Protection Officer and Legal teams will continue to monitor each State and the Federal law and act accordingly to meet the new standards.
Deborah Dillon: Recent years have been transformational for privacy. In the wake of GDPR, governments around the country, and around the world, are enacting privacy laws and regulations. Moreover, the movement will be continuing to go global. To date, more than 80 countries have adopted GDPR-like privacy laws, making it increasingly apparent that it will define the political, professional and social landscape for years to come, and it’s something that will define the debate in 2020. The result is a delicate balance for law enforcement officials, IT leaders, and businesses as they strive to protect sensitive information – a difficult task that seems to become more challenging by the day – without violating the privacy rights of their employees through things like monitoring programs or endpoint data loss prevention protocols. Exciting times ahead for privacy professionals!