However, many organisations are still struggling to maintain regulatory compliance, as evidenced by the continuing stream of significant fines being levied such as British Airways’ recent £20 million fine for a data breach in 2020.  Here we explore the three key Data Privacy challenges firms continue to face four years on.  

International transfers  

The first of these challenges is the Schrems II judgement, which invalidated the Privacy Shield as a transfer mechanism of personal data from the EU/EEA to the US. We have seen many organisations struggle to interpret the new legal developments due to a lack of easy-to-understand information on the GDPR that would provide a guarantee of sufficient data protection. This has placed firms at considerable risk of facing sanctions under the GDPR and consequently, international disruption.  

To address this, organisations should ensure they are clear of all the available transfer mechanisms, adapt their existing data policies, and assess each data transfer on a case-by-case basis to determine whether there is an adequate level of protection. Where necessary, they should implement additional safeguards for the transfer. The European Data Protection Board issued a six-step roadmap and the essential guarantees for surveillance measures are good starting points here.  

Technical challenges  

Secondly, the increasing uptake in cloud services has resulted in a significant increase in the volume of personal data being collected and stored. This in turn means that firms have more data to secure and manage. At the same time the GDPR requires firms to secure customer data, be able to provide data access for data subjects and to only retain data as long as truly necessary.

This means that firms need to have a good understanding of all the personal data they hold. However, we see firms often not being able to pin down where personal data lives in their cloud environment or how it is processed. This makes it very difficult to fulfil their obligations under the GDPR requirements for data subjects right of access and deletion.  

To overcome this, firms should look to specialised technology partners to implement retention effectively, properly inventory and manage the data in the cloud environment and determine the applicable laws based on its location.  

Cookies and consent management 

Finally, we have seen significant confusion among firms on what is an informed and compliant cookie consents. Cookies should be used only for the original purpose users consent to. In addition, the cookie consent request should have a clear and unambiguous explanation of why the website needs to store and use them.  

A robust cookie compliance programme is therefore needed to avoid potential fines and avoid compromising user trust. In our experience, such a compliance programme needs to, at a minimum: 

• always request active, informed, and unambiguous consent
• remove pre-checked boxes set to ‘Consent’ or ‘Accept’ by default  
• remove ‘cookie walls’ that give a straight choice between accepting cookies or not accessing the site
• ensure that any consent covers data processing for a specific purpose. 

We believe this would solve the majority of the issues that firms are currently struggling with. 

Conclusion 

In conclusion, the challenges that we see firms face with respect to the GDPR currently can be solved in relatively simple and straightforward ways, as outlined above. However, the fact that these issues still exist highlights that as a whole the GDPR is proving a multifaceted and complex challenge for firms, especially those that may not have fully grasped its consequences.  

We expect the regulatory focus on these challenges to continue into 2023, notwithstanding the changes that will likely be made by the Data Protection and Digital Information Bill, leaving firms that do not address them in a timely fashion at risk of scrutiny and potential fines.