Today we celebrate 5 years of GDPR enforcement, the “birthday” of our revolutionary European legal data protection framework. Each year, I look forward to this anniversary and take time to reflect on the past, present, and future of data protection.
While criticizing enforcement of the GDPR seems to be in vogue as of late, I remain confident in the potential of European data protection law to protect the fundamental rights and freedoms of individuals. Importantly, my confidence and glass-half-full perspective is rooted in data and my research activities. For this reason, I’ll start with some numbers.
Since 2018, I have carefully monitored GDPR enforcement. ICTLC, my firm, maintains an extensive case law database which as of today contains over 1,800 enforcement actions, a number which I have seen steadily grow year after year. My regular analysis of data on enforcement actions, (according to my last calculation) shows a significant concentration of fines related to transparency (16% of sanctions) data security (14% of sanctions), and data subject rights (8% of sanctions).
While GDPR compliance maturity levels are starting to significantly improve, new (and very big) challenges for organizations are on the horizon, if not at the doorstep. As of late, there is an almost mind-blowing proliferation of actual, forthcoming, and proposed data-related legislation (e.g., Data Governance Act, Digital Services Act, Digital Market Act, Data Act, ePrivacy Regulation, NIS2, Cybersecurity Act, DORA, Cyber Resilience Act, etc.). Like the GDPR, this legislation has the noble aim of safeguarding the fundamental rights and freedoms of individuals. I question, however, how organizations will tackle compliance with these new and forthcoming rules. The GDPR has been criticized by privacy activists for a lack of enforcement, and companies have long lamented of alleged compliance burdens. With regard to new legislation, I anticipate real challenges for genuine implementation and the potential for box-ticking approaches to reign.
How can we avoid such a scenario? Genuine compliance with both the GDPR and new and forthcoming data-related rules – which, as mentioned, also include cybersecurity instruments – requires top management to buy-in. But how can we convince the top management of multinationals (or SMEs for that matter) that compliance with data rules is necessary, good, and even “sexy”? This is where my research comes in. More and more, I am convinced that privacy and cybersecurity should be situated within the field of ESG/CSR and sustainability, something which is becoming increasingly attractive for organizations.
By framing privacy and cybersecurity in terms of sustainability, both organizations and individuals will benefit. I have subscribed to this idea for quite some time, and it was for this very reason that I developed the Maastricht University Data Protection as a Corporate Social Responsibility Framework. More recently, the relevance and need to frame data protection within the area of ESG/CSR was confirmed by representatives of the Italian, French, and Kenyan Data Protection Authorities at the Privacy Symposium in Venice, Italy for the first time. This is a clear demonstration that we need to re-think our approach to compliance and look towards the potential of sustainability.
According to PWC, privacy and cybersecurity already play an important role in ESG ratings. At the same time, however, few organizations align their privacy and cybersecurity compliance with ESG investments despite their potentially important role. This needs to change.
Now is the time for us to work with corporate leaders to ensure that privacy and cybersecurity play a key role in ESG programs, which are already attractive to large organizations. Adopting this approach will lead to better compliance and investments in sustainable secure and lawful data processing; and that means effectively better protection for data subjects, consumers and citizens in a more respectful and sustainable data-driven society and economy.