Posted on: 30/07/2019
GDPR: INTERNATIONAL IMPACT
Privacy frameworks are continuously developing, and companies around the world face the challenge of moving from local compliance to implementing an operational privacy framework, globally. The GDPR is now viewed as best practice by many countries outside of the EU seeking to create new privacy laws – but how much of the regulation do they implement and what other global regulations do companies need to watch out for as data becomes core to the world’s infrastructure and economy?
The focus for organisations handling data to date has been on providing consumers the ability to give meaningful consent and later revoke that consent, and on transparency in how information is used. These are viewed as fundamental human rights under GDPR and its implementation has centered on the enforcement of these rights.
GDPR provides a major step towards an operational privacy framework, but global privacy accountability will remain a challenge, and ever evolving regulations, technologies and innovation will continue to increase its complexity.
As a vendor that provides a set of tools that organisations can build into their data management processes to support GDPR compliance, we are trusted by leading organisations across financial, contact centre, government and public safety sectors (including six of the world’s top banks, 85% of global interdealer brokers, 1,700 call centres and over 70% of UK police forces) to capture and secure millions of calls daily for over 3,000 customers around the world.
In recent years, a range of regulatory requirements have been a priority for our customers, and we will continue to develop tools to make call recording compliance as easy as possible. In this series we look at the adoption of GDPR around the globe, how EU member countries have been impacted and how the uptake of GDPR has impacted Asia Pacific and the Americas in particular.
GDPR IN THE EU
Over a year has passed since arguably the biggest change to the regulatory landscape of data privacy – GDPR, bringing with it the extended jurisdiction of Data privacy. Appling to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
Local applicability of the previous directive (EC Directive 95/46/EC) was unclear and referred to data process ‘in context of an establishment’. GDPR however, makes its applicability very clear – applying to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. [i]
So how have EU states implemented the law and how has the rest of the globe responded?
In addition to updating the European Union’s data protection rules for the digital age, GDPR established the European Data Protection Board (EDPB) to ensure consistent application of the new rules across the EEA.
To do this, the board not only issues guidelines on the interpretation of core concepts of the GDPR but it is also called to rule on disputes regarding cross-border processing activities, ensuring a uniform application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions.[ii]
So far, the feedback the EDPB have received from stakeholders on the first year of work has been reported as encouraging[iii]. Many people and companies are now calling for increased global alignment on the processing of personal data and an overall increase in cyber security.
The EDPB believe that by coordinating a consistent approach to data protection, the EU is demonstrating that respect for individuals’ rights to privacy and data protection can go together with a thriving economy, not just because it provides companies with a clear framework and creates competitive advantages, such as improved customer trust, loyalty and experience as well as more efficient operations.
At the beginning of 2019, the EDPB adopted working programmes for 2019-2020 aiming to address priority needs of all stakeholders, including EU legislators. Having already issued guidance on the interpretation of new provisions introduced by the GDPR, the EDPB will now be turning its attention to specific items and technologies.
The board have recently reported 281,088 cases logged by the various supervisory authorities in the first year of the GDPR’s application. Of these, 144,376 related to consumer complaints and 89,271 related to data breach notifications by data controllers. The Netherlands, Germany, and the United Kingdom have reported the largest number of breaches, whereas Liechtenstein, Iceland, and Cyprus have reported the lowest.
Most EU countries have now issued fines under the GDPR (Some still haven’t such as Belgium, Ireland, Czech Republic, Denmark, Finland, Italy, Slovakia, Slovenia, Spain, and Sweden).
For the most part these have come with relatively modest penalties, but only if we leave aside more recent, significant cases brought by the UK’s Information Commissioner’s Office (ICO) (where it doled out £238m-worth of fines to British Airways and hotel group Marriott International at the beginning of July), up until this February the average fine levied was around €66,000 (U.S. $74,000).[iv]
Prior to a couple of weeks ago, the UK hadn’t issued any fines; now it’s in prime position with a penalty count over four times higher than the rest of Europe. A lot depends on the approach of each individual supervisory authority - many have preferred to educate and cooperate, rather than punish, using the GDPR’s first year as a grace period to promote compliance (Belgium, Cyprus, and Latvia, for example).
Conversely however, it has also recently been reported that despite the work of the regulators, nearly a third of European firms are still not GDPR compliant according to accounting firm RSM who have stated that medium-sized businesses were “struggling to understand and implement” the regulation.[v]
With new pressure from the regulators on enforcement in the first 6 months of 2019, resulting in some hefty fines from the ICO, there is a push once more from businesses across Europe to catch up and ensure GDPR compliance before it’s too late.
Controlling, processing and maintaining records of recorded communications data is a key consideration for complying with GDPR. Red Box gives you a set of tools to build into your data management processes, in support of your global compliance obligations, get in touch to find out how we can support your organisation. Alternatively, find out more about how we support GDPR compliance here