2 Years after Implementation, GDPR Brings Data Privacy Stability

Two years after the implementation of the European Union's General Data Protection Regulation (GDPR), data privacy has become a standard concern of corporate leaders, particularly as they also rank cyber threats among their top risk concerns.

When it took effect in May 2018, the GDPR created a single source of data protection rules applying across Europe for anyone doing business in Europe or processing the data of European citizens. As such, the regulation applies not only to EU-based businesses but also businesses in the United States and elsewhere that might be operating in the European Union or collecting data from EU citizens.

The regulation was intended to give EU citizens greater control over their data. It creates data breach requirements for businesses and can potentially bring significant financial penalties—as well as reputational issues—for organizations found in noncompliance. The result has been that companies around the world have been forced to take a hard look at their data privacy strategies.

Still, according to participants in a recent webinar titled "GDPR and Corporate Governance: Evaluation after 2 Years' Implementation," while many initially feared the new regulation might hamper business operations or cause financial losses, in fact, it appears to have brought some needed stability to data privacy efforts.

The webinar was sponsored by the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA).

"Two years after this application, it has only benefits for companies in general," said Jerome Avot, group risk officer and data protection officer of global automotive technology supplier Faurecia in France. "In our case, one of the big benefits that we had from this regulation is the fact that we finally did a fully comprehensive inventory of all our data processing."

The company needs to ensure that its data are secure and that the company's data collection activities are in compliance with the GDPR, Mr. Avot said. Now, when Faurecia creates a new product, the company puts a data retention policy in place from the beginning.

In addition, he said, the GDPR's financial penalties and reputational impact provided an incentive to speed data security projects. The regulation also changed the company's mindset on subcontractors, causing it to take much greater care in terms of deciding which partners to do business with and audit subcontractors on a regular basis.

Like many companies, Faurecia now has a full data breach response policy in place. "Now we also include in all aspects 'privacy by design,'" Mr. Avot said.

Finally, Faurecia has expanded employee training on data protection, contributing to the company's overall cyber security, Mr. Avot said.

Olivier Micol, head of the Data Protection Unit at the European Commission (EC), Directorate-General for Justice, noted that several years ago it could be difficult to get company directors' attention on the issue of data privacy. "Now, it's very rare that in our contact with businesses that the issue is not brought to the higher level," Mr. Micol said. "This is despite the fact that the rules have changed only moderately since '95 when we had the previous directive in place."

He speculated that the financial penalties imposed by the GDPR probably contributed to the "wake-up" of many corporate leaders; though, for many businesses already focused on privacy, GDPR compliance efforts represented a sort of continuity.

Two years into the GDPR, the EC doesn't think it's appropriate to amend it now, though it's heard arguments from both proponents of strengthening regulations and those calling to have them relaxed, Mr. Micol said. "We think that would be premature," he said. "Especially among businesses, what I think is needed is stability of the rules."

Among the key findings of an EC evaluation of the GDPR's first year was that many companies have used it as a way to distinguish themselves from competition in terms of their data protection and innovation, Mr. Micol said.

There's still work to be done in perfecting the application of the GDPR, the EC official said. Key among them is creating more uniformity in implementing and enforcing the regulation across EU member nations, whose data protection authorities created by the regulation to apply it operate independently.

The EC also needs greater human and technical resources in order to keep up with rapidly advancing technology, Mr. Micol said. And, the EC is working with countries in other regions of the world to better address issues surrounding international data transfer.

Ralf Herold, senior vice president, corporate audit, at German-based chemical company BASF, noted that there was actually more than one goal of GDPR. Protecting individuals' data is significant, he said, but the regulation's standardization also provides a clear message about the common market, freedom to do business, and flow of information across the common market.

Companies will adhere to laws and regulations, but they must be clear, he said, and companies must trust that the regulatory framework is reliable.

"GDPR is a journey," said Mr. Avot, and a company can't simply say it's achieved compliance and leave it at that. "It's really a spirit," he said. "We are moving in the right direction, and we fully understand the spirit of GDPR."

Companies need to ensure continuous compliance with GDPR, so that both new and existing data processing activities are constantly compliant and that any changes to those activities are compliant as well, Mr. Avot said.

It's also important to spot the weakest link in organizations' data security, including the security of data backups and subcontractors' data protection policies, he said.

Typhaine Beauperin, chief executive officer and secretary general of FERMA, and Pascale Vandenbussche, secretary general of the ECIIA, moderated the webinar.