A year into GDPR enforcement, it's important to make note of lessons learned. Perhaps the most important takeaway from the first year of enforcement is that compliance is an ongoing, iterative process that requires regular evaluation. Companies that have escaped scrutiny thus far should continue to evaluate their compliance efforts and update their processes and policies as enforcement actions offer clarity on interpretation of the law. Higher-profile probes will likely provide clarity on what is considered "reasonable" under GDPR, which currently remains a gray area.
"We've seen limited enforcement action and even less regulatory guidance, meaning that companies are still having to try and find their way through compliance without direction." - Miriam Everett, Herbert Smith Freehills LLP
While enforcement actions have been milder than most businesses anticipated thus far, data protection authorities have indicated that the tide is changing and fines are coming. As data protection authorities continue to parse through the 94,000+ complaints and scale up operations, we can expect a greater level of enforcement activity, and potentially "mega-fines" - up to 4% of annual turnover.
Ireland's data protection regulator recently confirmed that it is close to wrapping up high-profile GDPR probes... and plans to start issuing the first fines this summer. - Law360
As anticipated, GDPR sparked a data privacy movement across the globe. New data privacy and cybersecurity regulations are being drafted and passed both domestically and internationally. While companies made significant investments in initial GDPR compliance, ongoing compliance with not only GDPR, but the wave of emerging domestic and international privacy laws is essential. The California Consumer Privacy Act, a landmark privacy law for the US, is set to go into effect in January 2020 and will again change the landscape for companies subject to its requirements.
"Companies need to take what they did in May 2018 and use the one-year anniversary to trigger an update to GDPR 2.0, while also getting ready for the California privacy act and the many other privacy laws developing all around the world" - William Long, Sidley Austin
As the exclusive ACC Alliance Partner for Data Privacy & Cybersecurity Compliance, Jordan Lawrence can help. Schedule a call to learn how we've been helping companies achieve sustainable compliance with data privacy and cybersecurity regulations like GDPR, CCPA, and more.