Privacy Challenges – Part 2: Changing regulation

Sep 13, 2016

We have made the promise to help our clients understand their privacy challenges and enable them to tackle them in a way that meets both their business requirements and regulatory requirements. Some time ago, one of our clients posed a central question: “What are key privacy challenges that organizations currently face in your opinion?” So, we decided to create a series of blog posts describing five key privacy challenges that touch organizations regardless of their industry.

The challenges, as we have named them, are:
1. Data is the new oil
2. Changing regulation
3. Lack of tools and best practices
4. Lack of professionals
5. Implementing privacy throughout the organization

Changing regulation

One of the most discussed topics in data protection has been the reform of the EU Data Protection rules. Effective since May 2016 with a two-year transition period, the European Union General Data Protection Regulation (GDPR) aims to enable the realization of a Digital Single Market by decreasing obstacles of cross-border trade, cutting administrative costs and providing citizens with improved control of their personal data. While these benefits are yet to be realized, the GDPR sets also new requirements for many organizations.

One of the most prominent changes in the new regulation is the adaptation of a risk-based approach that encourages organizations to analyse their operations, adopt protective measures, specify and quantify risks and define actions to control the risks. Organizations will have to assess the level of risk of their data processing activities, and implement proactive measures accordingly. In practice, this can for example include conducting a Privacy Impact Assessment of a new mobile application and determining procedures to protect user privacy.

Another change brought by the GDPR is transforming the burden of monitoring from authorities to controllers. As previously authorities in the EU have been in charge of monitoring organizations, now organizations themselves carry the responsibility to demonstrate the compliance of their operation with the regulation. Specific guidelines on how organizations should actualize this obligation are yet to be established. A sure way to start is training personnel and confirming that adequate documentation concerning data processing from internal guides to external privacy notices is in place.

While European Union member countries are heading towards a unified digital market and harmonized data protection regulation, regulations and best practices concerning data flow outside of the EU and EEA are in flux. In February 2016 the EU Commission and the United States agreed on a new framework for transatlantic data flows, ‘Privacy Shield’, to replace previously applied Safe Harbor arrangement that was declared invalid by the European Court of Justice in October 2015. Recent development in the UK towards leaving the EU poses additional questions concerning transborder data flow management.

While the GDPR and the Privacy Shield provide guidelines that aim to improve and harmonize existing regulations, a lot of work is still to be done in interpreting and applying the legal framework in different industry and business context. Not surprisingly, organizations are calling for both common and industry specific best practices and guidelines (Privaon’s Market study, 2016).

Although the legal perspective tends to dominate discussion on data protection, the challenge is still ultimately also a business challenge. Companies will continue collecting, analysing and processing personal data to fuel and improve their business. When done consistently in a high quality manner, the effectiveness of the processing can be increased and risks mitigated.