GDPR one year later: Has it resulted in change?
It’s hard to believe that it was now over a year ago that the General Data Privacy Act (GDPR) came into force. Many may wonder what the fuss was all about, but for most of us involved in the day-to-day business of privacy and its practical implications for our businesses, I think we can say that the GDPR has brought change in how we do business. A year on, it is a time of reflection, to assess how well we have done, what we still need to do, and for Privacy Officers, to review and update policies, procedures, and documentation whilst also continuing the process of improvement. This is certainly the process we have been going through at FinancialForce.
The pace of change following the introduction of the GDPR varies for all businesses, but at FinancialForce I can say that things are done differently today than they were just over 12 months ago. Perhaps the biggest and most welcome change, from my perspective as Privacy Officer at FinancialForce, is that today—different from one year ago and a world away from just three years ago—my peers and colleagues are as involved in the business of privacy. It’s become a day-to-day part of running a business for everyone, not just the Privacy Officers or legal teams. I am proud to say that at FinancialForce we even have an active and engaged Privacy Council, with representatives from all departments, from R&D to HR and Marketing. I think we would all agree that the job is still ongoing, but the progress in just over a year is a sea change in itself.
On a reflective note, perhaps the more interesting aspect for many of us is how the GDPR has influenced and perhaps even inspired wider change in our attitudes and expectations of privacy and protection of our data. We see this not only in Europe but also in countries like India and Brazil, where laws have changed to strengthen privacy protections.
And where one leads, others tend to follow. The California Consumer Privacy Act (CCPA), due to take effect at the beginning of 2020, is strikingly similar to the GDPR in certain areas. But importantly, it is different from the GDPR—sisters rather than twins. For example, it focuses almost solely on the protection of an individual’s rights (‘data subject’ rights under the GDPR) which is arguably a good place to start. At FinancialForce, like many organizations, we have started to prepare for the introduction of the CCPA using a lot of our GDPR work to help us, e.g. our data mapping efforts, which I wrote about last year when GDPR first launched. And whilst the CCPA is certainly not perfect and needs clarification and refinement, it is an important shift, especially given its location in California, the world’s fifth largest economy and home of Silicon Valley.
There have been many critics of the GDPR, and it certainly has its flaws. But in this digital age, there is a lot to celebrate, not least the protection of our rights to choose and control how information about us is used. The debate about a US federal law is accelerating, many countries are introducing new privacy laws, and more change is coming. Undoubtedly, the GDPR has had a profound impact, which will continue to unfold for years to come.