FTI Consulting director Nina Bryant talks to The Lawyer about the evolving global regulatory developments in privacy, increased data subject access request (DSAR) activity and the potential implications of the newly proposed ePrivacy Regulation for organisations, reflecting back on her discussion this morning at The Lawyer’s Managing Risk and Litigation conference.
Privacy seems to be at the heart of global regulatory development (eg privacy regulation in Singapore, Hong Kong, China, India, California etc). From your observations so far, how are organisations dealing with increased DSAR activity and how can they streamline their DSAR response process?
As technology becomes increasingly complex and interconnected, so consumers are getting savvier about the value of their data and the impact on them as an individual if their data is misused. Across global privacy legislation, we are increasingly seeing organisations tasked to operate within tighter ethical boundaries regarding their use and protection of personal data, combined with giving individuals stronger rights to access and control how their data is used or shared.
GDPR was probably one of the highest profile changes in legislation in recent times. With headline news stories from global data breaches to the right to be forgotten, few EU citizens can be unaware of their new rights. Most organisations we work with are therefore seeing an increase in DSR activity and are tackling this in different ways. However, many organisations are still struggling to meet these rights given complex legacy IT infrastructures, limited IT resources, large volumes of dark data and ineffective retention policies. Supporting organisations to better understand and remediate their data is, therefore, key to enabling the full range of data subjects rights to be met and to streamline processes.
We are also seeing an increasing number of organisations with high volumes of complex requests looking to outsource their DSR services, reducing the overall cost and risk through centralised, high-quality evaluation and completion of the request and streamlined communications with the data subject.
What are the potential implications for organisations of the newly proposed ePrivacy Regulation and what are the most significant changes it brings forward?
The proposed ePrivacy Regulations focus on electronic communications rather than specifically on personal data, but aim to complement GDPR and may have significant implications for some organisations, depending particularly on their current approaches to direct marketing and cookie management. The draft regulation brings into scope a range of additional electronic communications, including machine to machine communications (e.g IOT devices) and over the top communications (eg Skype and WhatsApp).
Although it’s unclear whether several direct marketing exemptions from the previous directive will remain, meaning the higher levels of consent in GDPR may apply to a wider range of previous customers and b2b contacts. For many organisations the proposed changes to cookie consent will probably have the biggest impact, meaning the current cookie banner approach will likely not be compliant, and wider cookie preference management required.
From what you’ve observed, are organisations already updating their compliance planning to include these proposed updates/changes?
Many organisations are taking the approach that more transparent communication with customers about the use of their personal data and in particular how third-party cookies are used, is not only more ethical, but actually a strong marketing strategy which will deliver better customer service and strong brand identity. We’re working with a number of organisations to support their digital strategy and enable strong cookie and preference management ahead of legislation coming into force. It’s evident that organisations that have implemented a strong GDPR compliance programme are in a better position to adapt to the global legislative changes on privacy, for example meeting CCPA requirements, and are proactively looking to how to implement similar programs for data which may fall into the scope of new global privacy laws.
Tell us 2 truths and one lie (in any order) about yourself
- I have attended Glastonbury music festival more than 10 times
- I have published a children’s book under a pseudonym
- I was filmed in some background shots for the new Spiderman movie