By Pragasen Morgan, Partner, EY.
With GDPR implementation deadlines now behind them, Data Protection Officers (DPOs) can rightly face the new year with some satisfaction. Although there is clearly work still to be done, few would disagree that much of the GDPR heavy lifting has now been completed.
But just when you think it’s safe to go back in the water, new forms are taking shape in the regulatory ocean as the success of GDPR means legislators worldwide are following Europe’s lead and taking action.
India and California are leading the pack by either enacting or fast tracking new data privacy regulation. Why is this so significant? Let’s take a fictional but fairly typical DPO. Their employer is a global tech firm with shared services centres in India and a significant presence in Silicon Valley, USA. Having climbed the GDPR mountain, our fictional DPO now has two new additional regulatory summits to scale, each with their own distinct challenges.
India moves quickly
With India aiming to play an increasingly important role in shaping the global digital landscape, the country’s draft Personal Data Protection Bill 2018 may also act as potential legislative template for other countries.
In simple terms, the Bill puts the onus on the data fiduciary (or data controller) to seek clear, informed, specific and free consent (with the possibility of withdrawal), for the use and processing of personal data. Other grounds of processing include: reasonable purpose, functions of the State, prompt action, employment and compliance with law/order.
The good news is that about two thirds of the Bill’s requirements will be familiar to, and addressable by, any organisation that has a GDPR compliance programme. There are challenges, however. These centre mainly on the speed of introduction (GDPR took six years of consultation and development) and some ambiguities around technical guidance and enforcement. The temptation for our hard-pressed DPO may be to hold back until the rules and regime are clearer, but we believe that temptation must be resisted. Instead, a wise DPO will prepare a well-argued investment case for compliance programme support. This will suggest taking a risk-based approach to the potential impact of the new regulation.
Another digital first for California
The California Consumer Privacy Act (CCPA) is highly significant and not just because the state is the fifth largest economy in the world and the home of many technology titans. It is the first attempt by a US state or Federal government to enact a comprehensive data protection law following GDPR and therefore – with every chance that it may be adopted more widely – has the potential to become just as significant.
The Act was signed into law in 2018 but will not come into effect until the beginning of 2020. It imposes substantial new obligations on businesses that collect, process, and disclose the data of California residents. These new obligations differ in several key areas from those under the GDPR. For example, companies will have to comply with the Act if they receive personal data from California residents and if they — or their parent company or a subsidiary — exceed certain thresholds on revenues and customer numbers. To pick out two key points: firstly, CCPA significantly expands the definition of personal information to cover almost any consumer-related data that a company collects or maintains; and secondly it extends the definition of a child to 18 years of age.
Our fictional DPO, although not US-based, will be only too well aware how important the Act will be for his organisation’s Californian operations. Innovation and agility are key at those buzzing Palo Alto offices, so it’s imperative to make sure that any new compliance processes do not inhibit the organisation’s ability to deliver the sort of personalised experiences that their customers expect.
In one respect our DPO will have a significant advantage, because nearly all CCPA’s requirements will be familiar to a GDPR-hardened veteran. Also on the plus side, a highly developed (and extremely valuable to the state authorities) tech sector should help both sides to be pragmatic. But although the CalTech sector is mature, the enforcement regime will not be, making it hard to predict exactly how the state regulator will behave. It will also be interesting to see how regulators can keep up with or avoid the danger of stifling the radical innovation that Silicon Valley is famous for. Again, a wise DPO will not be waiting until it’s closer to the 2020 deadline to take action but will ensure that the CCPA’s requirements are already being factored into future audit, risk, legal and compliance plans.
How do DPOs feel about the oncoming challenges?
The prospect of new regulatory hurdles for already hard-pressed DPOs is challenging. Recruiting new ones isn’t easy either, with EY estimates suggesting a shortage of 50,000 in Europe alone. Our conversation with one leading DPO revealed that finding a candidate with the right mix of legal, technical and operational skills is even tougher. Their on-the-ground experience of GDPR tells DPOs that, even when the regulations are clear on paper, there is always a period of trial and error and back and forth between regulator and operator before practices are optimised. This suggests that, as India, California and others bring in new regulation, it will take time to operationalise (at Business As Usual mode), and to mature. More positively, having gone through the mill with GDPR, technology tools or platforms, whether proprietary or third party, may be better place to do some of the heavy lifting associated with new regulation.
If our fictional DPO was expecting an easier life in 2019, they may well be disappointed. But armed with their GDPR experience, they will at least be well placed to meet the challenge as data privacy regulation goes increasingly global.
To find out more about how EY can help, please contact:
Pragasen Morgan. Partner, Privacy Leader UK
Ian Williamson, UK Head of Digital Law
Follow our blog
Click here to sign up to our blog series.