It's hard to believe it's already Data Privacy Day 2019. At this point last year, the data privacy world was in an all-consuming scramble to prepare for the GDPR. In some ways, we've come a long way since then - the GDPR is here, many companies have adjusted, and new laws and trends are beginning to edge into the spotlight.
But in other ways, much is still the same - organizations are still redesigning key privacy processes (thanks to the CCPA), we're still waiting on federal legislation in the U.S., and breaches and fines are still piling up.
A lot happened in 2018, and we could spend days reflecting on all the changes we saw. But on Data Privacy Day 2019, we'd like to take a few minutes to look ahead at what 2019 has in store for the world of data privacy.
2018 was the year of GDPR implementation and operationalization, and 2019 will be the year of GDPR enforcement. The European Union's (EU) groundbreaking General Data Protection Regulation transformed data privacy programs around the globe, including for companies in the U.S., and set a global standard for data protection (see Brazil and Japan's big changes). Compliance with the GDPR was no easy feat, requiring companies to roll out significant changes to how they collect, process, store, and share personal data. Just a few months after the GDPR's implementation deadline (May 2018), enforcement began.
In July, Germany's Data Protection Authorities (DPAs) began conducting audits to evaluate organizations' compliance with the GDPR's requirements. As DPA audits continued, organizations around the world held their breath, waiting for the first big penalty to drop. Last week, it did. France's CNIL issued a fine of 50 million euros to Google for "lack of transparency, inadequate information, and lack of valid consent regarding ads personalization." Notably, this was not the result of a data breach, but a lack of alignment with the GDPR's core principles.
More enforcement actions are expected to arrive in rapid succession. But GDPR compliance isn't getting any simpler. In March, Brexit will happen, complicating data protection for those who chose the UK's ICO as their DPA. In addition, the EU-U.S. Privacy Shield, the framework for personal data transfer between U.S. organizations and the EU, is expected to undergo significant changes. The GDPR also allows EU Member States to take derogations to its requirements, and since implementing the GDPR in May, many states have chosen to take some exceptions to the law, making compliance even more complex.
While many organizations have cleared the first big hurdle of GDPR compliance - implementation - many more remain ahead, and the DPAs will be watching each of them closely. Preparing for 2019, the year of enforcement, requires an unfaltering focus on the changes, updates, and new requirements surrounding this important legislation.
Not long after the GDPR went into effect, California legislators issued the California Consumer Privacy Act of 2018 (CCPA), which closely mirrored many of the requirements found in the GDPR. The CCPA is the toughest privacy law ever issued in the U.S., and it is expected to impact more than 500,000 organizations across the country. Following its release, many other states issued updates to their security and privacy laws, leading many organizations to call for a single federal privacy law.
The CCPA will go into effect in January of 2020, leaving companies with less than a year to prepare. While some amendments and changes are expected to be issued over the next few months, now is the time to begin preparing for compliance. The good news is there are ways to streamline the changes you must make and, if your company has already aligned with the GDPR, ways to build on top of your existing program. We look at the biggest requirements of the CCPA, how to prepare, and how to budget for compliance in our free guide.
In 2019, most organizations rely heavily on third-parties (and fourth- and fifth-parties) for doing business, a trend that has been on the rise for many years. But with increased data protection legislation, major technology changes, and more complex cyber threats, how organizations handle third-party risk has evolved and will continue to change in 2019.
First, third-party risk assessments will grow in scope, encompassing requirements for third-parties from regulations like, you guessed it, the CCPA and the GDPR. In addition, more companies will expect to actually reap ROI from their TPRM programs. They'll reduce risk across the organization, but also identify opportunities to streamline processes and save money. Companies will also leverage more technology to allow them continuously monitor vendors and gain more visibility into changes that may impact a vendor's risk profile.
With regulations like the GDPR and other global laws placing more responsibility on third-parties and requiring that they comply as well, TPRM has become an even more integral piece of many organizations' data privacy programs.
2019 will continue many of the trends we saw in 2018 and introduce many new challenges, regulations, and changes. The key to it all is staying current with these changes and building an agile privacy program that can adapt to these changes. Data Privacy Day is always a great opportunity to educate yourself, your team, and your organization on data privacy trends, challenges, and best practices. But if 2018 taught us anything, it's that data privacy is ever-changing and requires a constant focus to stay current and maintain compliance.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.