The landmark data privacy regulation, the GDPR, was introduced five years ago. It revolutionised the regulation of data privacy through providing a standard of data protection laws across Member States. Since its inception, significant global improvements have occurred not only in pushing forward conversations concerning data privacy to the forefront of big organisations but has ensured that citizens are more aware of their rights. Notably, the GDPR has created an adequate framework to penalise those who fail to follow data privacy requirements. Even with these ramifications, five years on, organisations fail to understand the fundamental principles of compliance and thus it can be questioned how effective the GDPR has been applied in practice.
Despite the GDPR being heralded as landmark, organisations continue to struggle with compliance. Thus, although the regulation was useful in providing this delineation of restrictions, without compliance from companies, its effectiveness can be seen as scant.
Lex Dinamica’s 2021 Benchmark Report offers unique insights into various organisations data governance capabilities. Importantly, we have assessed the ways in which organisations have managed to adapt to the GDPR and in which specific areas organisations have the most difficulty with. Across our assessment, we found that 78% of organisations still find it difficult to comply with the GDPR regulation.
Our benchmark identified two main reasons for this. Firstly, organisations find the GDPR to be ambiguous. Secondly, similar to the issue with ambiguity, there is a challenge in meeting the GDPR’s requirements due to not knowing exactly what the requirements comprise of. Both these reasons have led to a disparity between the perception organisations have that they comply with the requirements and the compliance delineated and specified by the GDPR which has huge ramifications for the topic of data privacy.
How Ambiguous are the GDPR Provisions?
Following our results, it was found that 64% of organisations surveyed found the GDPR to be in theory ambiguous. This means that upon reading the text of the GDPR, organisations did not find the provisions to be clear enough prior to the actual implementation. Furthermore, a hefty 92% of organisations found the GDPR to be in practice ambiguous. This means defining the scope of the provisions practically to the organisation’s particular structure and business was vague.
Compliance with the GDPR is an important aim as the collection of personal data from consumers without regulations puts an individual’s privacy rights and freedoms at risks. However, the ambiguous nature of the GDPR risks overshadowing its significant and benign aim because organisations will end up not complying with the provisions where they feel they do not understand what the demands consist of. This is because ambiguity across the text results in the creation of unclear expectations of how the theory should be put into practice. Importantly, for organisations, this means that they either assume they have met the bare minimum standard or that dealing with the data protect ion authority would be an easier option. However, whilst penalties may be applied by the data protection office to ensure compliance, a better system would promote compliance with the GDPR at the outset through a clear delineation of its provisions so as to avoid the resort to punitive measures. This will further facilitate a more dynamic and open relationship between organisations and the data protection office through the GDPR.
How Easy is it to Meet the GDPR Provisions?
A second reason for the GDPR not having full compliance by all organisations five years on is because organisations find it challenging to meet the requirements of its provisions. Across our Benchmark, we assessed how easy or difficult organisations found it to comply with specific provisions across the GDPR. For instance, a mere 14% of the organisations we surveyed said they found it easy to ensure that consent is explicit, informed, and auditable. With respect to understanding when a data breach is occurring and how to tackle this issue, a hefty 70% of organisations stated they found this difficult. More generally, 75% of organisations suggested it was difficult to record privacy and data governance decisions.
Importantly, across this study, it was clear that what organisations failed to understand is that the drafters of the GDPR did not envision leaving organisations without adequate support in addressing its provisions. Under Article 37 where there the appointment of a data protection officer is mandated for all companies that collect or process EU citizens’ personal data. Through this role, data protection officers can lessen the disparity between perceived compliance and actual compliance because they educate the company and its employees about compliance. As much as the GDPR addresses this issue however, if organisations are not taking the primary step in trying to understand the provisions outlined, then it is unlikely they will be recognisant of measures used to help companies become compliant.
Perceived Compliance v Actual Compliance
Both the ambiguity in the GDPR provisions as well as the challenges organisations face in implementing its provisions have led to a disparity in how organisations perceive their own compliance versus the standard of actual compliance outlined. Many organisations perceive themselves as being up to the bare minimum standard of GDPR compliance already.
Our benchmark report evidences this further through assessing how many organisations are in fact compliant with the GDPR. It was found that only 10% of organisation surveyed who perceived being 75-100% compliant with the GDPR were in fact compliant. The misconception stems from the fact that organisations have not sought to interpret the provisions of the GDPR to ensure they are practically meeting its requirements.
This issue highlights an even bigger problem where the disparity between an organisation’s perceived and actual compliance creates a huge risk for the system the GDPR stands for and upholds. The GDPR introduced a comprehensive data privacy regulation including a multitude of articles as well as recitals to provide a more contextual basis and understanding of why such provisions must be implemented. It is therefore worrying that five years on in the implementation of the GDPR, organisations are failing to interpret or read the provisions in depth.
Five years on, it would have been expected that compliance with the GDPR in at least the majority of organisations would have taken place however, it is clear that from our study and others that organisations are still struggling to comply with its provisions. Data privacy is a topic which merits important discussions within organisations who choose to process the personal and perhaps sensitive data of organisations as it places the fundamental rights of individuals at odds with the organisational interests being served by this sort of data processing. The focus of the GDPR is on data privacy rights however, the fact that organisations seem to only be deterred by the threat of fines or sanctions by investigatory officers highlights that the acknowledgment of the fundamental importance of data privacy has yet to fully come to fruition. This is an issue which close attention will need to be paid to in the future.