May 25th will mark the fifth anniversary of the EU’s General Data Protection Regulation or GDPR writes Steven Roberts, Group Head of Marketing at Griffith College.
The past five years have seen a marked increase in public awareness regarding data privacy and how companies use individuals’ personal data. According to law firm DLA Piper, EU regulators issued more than €1.6 billion in GDPR fines in 2022, with Ireland’s Data Protection Commission (DPC) accounting for over €1 billion of this total. In such an environment, it is not surprising to see Irish businesses continue to place a priority on data protection compliance. It is timely, therefore to look at some of the trends which companies and their boards should prioritise during 2023.
More clarity on fines
Breaches of the GDPR can result in fines of up to 4% of global turnover. Whilst this figure made many headlines at the time and since, we have still not achieved an effective baseline upon which companies can reasonably assess their likely risk profile. The most eye-watering thus far have been targeted at multinational technology firms, whose use and processing of personal data sits at the core of their business models. The DPC’s €405 million fine of Meta was the largest in 2022, and the second highest in the EU to date. Penalties for other sectors have been much more modest by comparison. Boards and their executive teams should continue to monitor the trajectory of fines, both within their sector as well as nationally and in any overseas markets in which they operate.
Data Protection by Design and Default
Data protection by design and default is a core principle within the GDPR. Any new projects which utilise personal data must consider data protection concerns from the outset. In addition, the default settings should seek to maximise individuals’ privacy. A key way to achieve this is through a Data Protection Impact Assessment or DPIA. Whilst this is a requirement in certain specific scenarios, under GDPR it is best practice as it provides clarity on the scope of data processing, the risks arising from it, and the potential mitigating actions that can be put in place to offset those risks. Boards seeking to reduce their risk profile should ensure relevant staff are effectively trained in the use of DPIAs.
The GDPR has been the catalyst for many countries to introduce new or updated privacy legislation. In recent years, China, South Africa, Singapore and Brazil have overhauled their data protection regimes. In the USA, many states and local jurisdictions have introduced privacy laws, the California Consumer Privacy Act is the best known of these and mirrors many aspects of GDPR. For companies operating or trading outside the EU, it is imperative they manage this increasing complexity. Executive teams must ensure that their firm’s activities are compliant both with the GDPR and with any local privacy laws in the countries where they operate.
International Data Transfers
An area of significant change is international data transfers. The GDPR envisaged a range of mechanisms for such transfers, including certification, codes of conduct, binding corporate rules (BCRs), and standard contractual clauses (SCCs). In reality, most firms have increasingly relied on SCCs – a set of clauses that can be dropped into a contract with a processor or controller. The EU introduced a new set of clauses in mid-2021, with 27th December 2022 as the deadline for repapering existing contracts.
Companies transferring data to the USA have been hindered by the failure to replace the invalidated Privacy Shield. A new EU-US framework is currently under development; however a clear date for its introduction is still some distance away. Irish companies trading with the UK, meanwhile, must hope that any potential legislative changes to Britain’s data laws (known as UK GDPR) are not of such a scale as to impact the current adequacy agreement between London and the EU. Businesses are advised to pay close attention to this aspect of data privacy throughout 2023.
Third Party Cookies
Third party cookies continue to play an important role in the global advertising ecosystem. They allow businesses to accurately target current and potential consumers, along with providing performance analytics. There is significant opposition to this technology, driven primarily by privacy concerns. Firefox and Safari have already blocked their use. The dominant player globally, Google Chrome, has stated similar intentions and currently advises a phase-out date some time during 2024. Executive teams and their marketing leaders must prioritise the development of alternative strategies; many companies are looking at ways to optimise their first party data structures, whilst also considering options such as retail media and contextual advertising.
The EU introduced GDPR with the ambition of creating a harmonised data protection environment across its 27 member states. Whilst this is still to be achieved, the Regulation has undoubtedly had a significant impact, both on company and consumer awareness and in its broader influence internationally. Data privacy is becoming increasingly complex as more countries seek to mirror the GDPR’s approach with their own local laws. Firms and their leaders must ensure data protection remains high on the corporate agenda, particularly in the areas of training, culture and processes, whilst boards should take time to make sure that relevant structures are in place to provide sound governance and risk mitigation.
About the writer: Steven Roberts is a member of Griffith College management board. He is a certified data protection officer, vice-chair of the Compliance Institute’s Data Protection and Information Security Working Group, and the author of ‘Data Protection for Marketers: A Practical Guide’ published by Orpen Press.