25 May 2018 came and went. So did 1 January 2020. And businesses around the world didn’t stop (although the current COVID-19 pandemic has certainly presented new challenges). What GDPR did was push organizations across the world to think more, think large and hold themselves accountable. That might seem like old news. So why I am writing this article?
Like many of my friends in the industry, I have moved around within an organization, joined a new organization and even relocated to a completely new country. This has made me think that people and organizations, whether in the US, Europe or elsewhere, face some similar challenges and some different ones when dealing with privacy regulations.
For the sake of this article, I will refer to GDPR, which has gone a long way toward changing how data privacy is viewed and implemented throughout much of the world.
When this regulation came into effect, I was in the US. Some organizations were in denial and said “This regulation does not apply to us!” Some were gung-ho and pushed hard to implement changes to ensure their businesses were not pulled in into a data breach or scrutinized by regulators. These organizations have poured over the regulation and tailored their privacy policies to address all aspects of the regulation. They have automated data subject requests with consideration of “what is required for business and what can deleted/ported/shared with the data subject.”
Then there are smaller organizations – service organizations catering to the big ones (processors). Many of these are still in denial or doing the bare minimum to address these needs, including manual processing. Some of them have to revisit their strategy to do business.
GDPR has brought about a lot of change well beyond Europe, including in the US, where the California Consumer Privacy Act (CCPA) went into effect this January. In my view from having lived in both North America and Europe, there are some key differences in adapting to this new focus on privacy between the continents. One is cultural, particularly with the capitalist mindset in the US. Many users do not necessarily care as deeply about their data and how it is used. Europe perceives American businesses as more lax when it comes to personal data-handling. On the other hand, there’s member-states within the European Union who: 1. Have privacy on the top of their mind; 2. don’t have quite the same anxiety as the US with regards to losing business; and 3. definitely do not have to be concerned about adequacy as much as organizations in the Americas.
So, what unique challenges do organizations face in Europe? At one of the conferences I attended a couple of years ago, a speaker from Germany mentioned challenges more basic than complying with the regulation itself, such as hiring the right staff, ensuring the necessary linguistics skills (a German DPO working with a US company must be able to speak English, for example), etc.
Recently, I moved to the UK, which now gives me first-hand experience on challenges that organizations face. Organizations are still working under traditional technological environments and often require a big influx of funds to overhaul them. The current environment requires teams and people to collaborate and share experiences for cost reduction. However, organizations to a large extent still have siloed communications and technological implementations.
Experience within the workforce is another challenge. Whether it was in the Americas or the UK, a shortage of experienced professional who can help the organizations’ compliance regime is becoming the biggest challenge. For the past several years in the US, there have been courses and degrees with universities to help fill the gap. However, this does not adequately replace seasoned professionals who will be retiring, and the skills gap is continuously increasing.
Regardless of location, many organizations are quite behind in the implementation of regulatory or legislative compliance and there is insufficient focus on ongoing data governance challenges. Ongoing governance forces organizations to revisit the solutions that have been implemented and improve them as needed to make them more efficient and cost-effective.