When E.U. General Data Protection Regulation (GDPR) came into force two and a half years ago, it completely changed the way we look at data privacy.
Many hailed GDPR as the gold privacy standard, especially in the way it fines infringements: 2% of global turnover or EUR 10 million for less serious breaches, and 4% or EUR 20 million for more severe crimes.
Yet, the privacy challenges are only the beginning. It is only going to get harder, says Carolyn Bigg, a partner at DLA Piper.
Citing the report “DLA Piper GDPR fines and data breach survey: January 2021,” Bigg notes that E.U. regulators are scrutinizing more. “We are beginning to see in Europe regulators imposing significant fines — the level that would absolutely get the Board’s attention.”
For chief digital officers and chief data officers, this has significant implications on how easily they can share data. Bigg argues that data sharing across the world got more difficult in the last 12 months due to GDPR and other privacy regulations, even if the pandemic made it a priority for digital transformation.
Sharing data liability
Bigg notes that the way the regulation was written, any business that handles personal data from the E.U., will face scrutiny. And from the introduction of the regulation, law firms and consultants have argued that companies that touch E.U. personal data — especially airlines and hotels handling E.U. passport details or e-commerce firms handling E.U. credit card information — need to be aware.
Even if the company in question is a conglomerate sharing data across its businesses, says Bigg. “It’s tied back to the entity that controls that data. So, whether it’s a Group or one within a conglomerate.”
This is critical for CDOs who are driving digital transformation projects. “There maybe was an expectation in the past that data could very freely flow up and down companies and throughout different groups of companies. But that’s not the case,” Bigg explains.
GDPR is not stopping data flows. It just cannot flow “just on a wholesale free flow scale,” she adds.
Transparency with strong governance helps. “Individuals need to know what’s happening to their data and what you’re going to do with it. So, it’s not to say it can’t be done, but it has to be done properly,” Bigg says.
One exception is COVID-19 tracing apps. Bigg notes that data protection laws have specific provisions relating to data collection for national emergencies and public health. Although, the relevant laws can differ significantly between countries.
“Data protection laws do apply to these sorts of data, but it’s a special situation. So, there are special laws in some places around it,” Bigg adds.
GDPR’s impact on Asia Pacific businesses is not a new topic. Compliance teams understand this well and often advise CDO teams that handle first-party data that includes personal identifiers or information.
Yet, companies still make mistakes and run afoul of regulators.
A major misconception is that GDPR applies to all their data when it may not. The reason for this is how GDPR codifies a European concept of privacy.
This privacy includes the fundamental human right to privacy and a right to private family life. “And so there’s a cultural way that GDPR has grown up. But that’s not the culture in the Asia Pacific. And it’s not the culture in America,” says Bigg.
She explains that, for example, privacy laws in the U.S. are built on concerns around digital data, particularly on social media platforms. “And so, the way that the rules are applied and drafted or enforced is very much focused on adtech, what’s happening with cookies, and what’s being done behind the scenes of online platforms.”
In the Asia Pacific, the right to a private family is not a strong concept, especially with the prominence of big families and individuals wanting a sense of community.
“So, [Asia Pacific consumers] are much more open and willing for data to be seen as part of the cost of a service, understanding that you may share some data, but for that, you will get a truly personalized service,” says Bigg.
This makes the application of GDPR somewhat alien for Asian business leaders. So, they either ignore it or take the opposite route and apply it to all data.
Governance is still crucial
The anxiety over GDPR highlights another problem: the lack of proper data governance controls.
To be fair, many companies grew their data silos organically. When the company is large enough and the liability too large to ignore, many implement a data governance framework.
Bigg argues that it should be the other way around. “And I also think that the starting point of a really good and effective data governance program will be answering the question on what data do you have.”
She notes that this is a complex question for many companies where data is not labeled correctly or managed from the onset of its creation. But knowing your data is crucial to understand what laws apply to you.
“And using that [information], you can put some structure for data governance,” says Bigg.
She adds that the data audit should not just look for personal data. “It needs to go beyond that.” It should look at data flows, where the data is flowing, and how it crosses borders.
This is important as companies look to automate and digitalize their business processes with IoT adoption to drive business speeds and efficiency.
Bigg also suggests companies engage the chief privacy officers and data governance teams upfront. “That’s how you’re going to get success because the IT people maybe don’t understand the nuances of what the law allows you to do, what’s more challenging to do, and what the risks are.”
AI poses more questions
The DLA Piper report notes that companies paid EUR 114 million in fines 20 months after introducing the GDPR. Over the last 12 months, there was a 39% increase. Clearly, regulators are scrutinizing more.
However, GDPR is by no means without open legal questions. There are many.
One that the report notes is whether fines should be “assessed against the consolidated global revenue of the organization being fined, or just against the revenue of the specific legal entity responsible for the infringement.”
For CDOs, another issue that many are grappling with is AI. “What’s happening is that it’s not just the data you input, but the additional data that’s being generated,” explains Bigg.
It means that AI may create data that can be viewed as personal data about individuals. CDOs need to know what they are doing when building machine learning models and ensuring that whatever data generated still follows data governance principles.
Bigg notes that data privacy is an evolving field. Even with GDPR and other privacy regulations, companies still need to navigate potential issues and challenges. But without a proper data governance framework, they are merely walking into the legal minefield blindfolded.
Winston Thomas is the editor-in-chief of CDOTrends and HR&DigitalTrends. He is always curious about all things digital, including new digital business models, the widening impact of AI/ML, unproven singularity theories, proven data science success stories, lurking cybersecurity dangers, and reimagining the digital experience. You can reach him at [email protected].
Image credit: iStockphoto/diego_cervo