The effects of the European Union’s General Data Protection Regulation (GDPR) swept across the globe last year as the enforcement deadline came and went in May 2018. But GDPR is really just the beginning — there are plenty of other wide-reaching data privacy regulations in the works, including in the U.S., so companies will need to be ready.
As a part of our just-released white paper on how data teams can work compliantly on data projects despite regulations (get a free copy here), we talked to Rémi Dusaud, Director of Data Privacy at PwC, about what the landscape is like now and what’s to come.
Lynn Heidmann (LH): In the beginning of the year, everyone made a big push to be GDPR compliant. Now that the enforcement deadline is passed, do you think that businesses are still giving GDPR the attention it needs (ensuring that they actually stay compliant moving forward)?
Rémi Dusaud (RD): GDPR has led to massive attention from the most exposed actors (e.g., healthcare, telco, retail, banking, and insurance). Almost all of the organizations that have named a data privacy officer (DPO), decided on a centralized approach, and put data privacy governance in place are walking on a “continuous improvement” path. Data privacy is hence becoming a natural part of day-to-day business life for them.
On the other hand, many actors did not launch any initiatives due to a lack of budget or because their business (B2B) or size (intermediate to small) guarantees them a low exposure to the regulation and the authorities. Therefore, we see that the wave of GDPR is still rolling.
Remaining compliant over the long term is (or will be) the biggest challenge encountered by all companies. To cope with it, Internal Audit and Control will be very helpful to the DPO. But it must be concluded that although some Internal Audit and Control departments have been involved in controlling the progress of the GDPR action plans, very few internal audit plans already integrate GDPR as a key component for 2019.
LH: Has GDPR changed the way that people throughout the company think about data privacy? If yes, how so?
RD: A huge part of the companies we are working for or we are in contact with have worked very seriously on data privacy matters. Every time, sponsorship has come from the top management level, and once budget and resources have been allocated, they expect demonstrable results.
Despite a satisfying learning curve in the first months, the main and recurring difficulties are:
- Finding the relevant channels to the DPO in the organization (particularly if the organization is complex and worldwide).
- Determining which Data Privacy Impact Assessment methodology should be used (including the depth of the analysis and time to be allotted).
For smaller companies, the most common challenge is to be able to involve more than a few actors while keeping the number of demands on them to a minimum. On the other hand for larger companies, piloting the overall project, measuring progress, and integrating the practices are often the most obvious traps.
As soon as work on GDPR begins, change management topics come up. From the kick-off meeting to participating in the workshops, key stakeholders become quickly — and keenly — aware of the challenges that GDPR presents both for their company and for themselves. That definitely changes their view about the risks and what needs to be done in order to mitigate them.
For large companies, integrating new data privacy processes into everyday work can be a challenge.
LH: How are companies approaching the ongoing "privacy by design" stipulation of GDPR?
RD: Most of the time, companies use a project chart, which consists of a list of 10 to 15 questions. These questions are aimed at defining the main characteristics of the project and might include things like:
- Use of personal data?
- Sensitivity?
- Volume?
- Third parties?
- Data transfers?
The answers to these questions dictate whether this particular project requires the involvement of the DPO, and at which level.
LH: What's next in the way of wide-sweeping data regulations? Is GDPR the be-all and end-all, or do you think there is something bigger that will come?
RD: Nobody has a crystal ball that would allow to anticipate the future. But it’s true that GDPR appears to be something like a tidal wave. Even pre-GDPR, several countries in Europe (e.g., Germany, Spain) had already taken some initiative regarding personal data protection.
Moreover, some other regulations around the world reflect the global awareness of the need to protect data privacy (probably the most famous is the “privacy shield” in the U.S.). This signifies a huge amount of work for thousands of organizations around the world that will have to adapt and transform themselves. This cannot be done without investments (sometimes very significant).
Some small adjustments and adaptations will come for sure as well (e.g., “ePrivacy” in France), in order to round out GDPR or to make it more understandable and adaptable in every context and culture. And this is a big challenge, as some requirements are not that clear.
To finish with an open thought: can we imagine one day bringing worldwide data privacy regulations together as a homogenous protection for everyone?
