5 Years of GDPR | A Conversation with FCG’s Head of Privacy
In light of the upcoming five-year anniversary of GDPR, we sat down with Pia Rosengren, Managing Director and Head of Privacy, to deep dive into the privacy regulation. With more than 20 years of experience from data privacy and the financial industry in an ever-changing landscape, Pia shares her reflections on the evolution, experience and future of GDPR.
How has the work with Data Privacy evolved since the introduction 2018?
My experience is that Data Privacy issues are becoming a more prioritised area in most organisations and that the agenda matures as we go. The discussion in the industry relates to far more complex issues compared to five years ago, but this is a natural progress once new regulations have been introduced. We can see a similar evolution e.g. in the Risk Management and Financial Crime Prevention field as well.
A definite development since the introduction of GDPR is the increasing number of EDPB Guidelines, administrative fines, and court decisions, as well an increasing focus on the global privacy legislation. All this require more coordination, expert skills, competencies, and resources within the area of Data Privacy.
It is common that the operational aspect of new regulation lags the pure compliance/tick-the box aspects, is the financial services sector catching up in that respect?
Yes, it is absolutely a challenge for the financial services sector to ensure that a new regulation is part of the daily business. Going back to 2017-2018, GDPR was introduced in parallel to several other initiatives such as MiFID II, IDD, AML 4 etc, and for most companies it was, and still is, a matter of how you ensure compliance while not overshooting in your ambition and embed cost components that should not be there. For GDPR specifically, firms may have underestimated the governance and infrastructure that is necessary to ensure compliance, that is, being underinvested in embedding privacy aspects in the operations. This has been noticed by regulators and the public and where the second, or maybe third wave of implementation projects we observe, relate to these legacies.
What is the most critical aspect of data privacy today?
According to the Swedish Authority for Privacy Protection’s (IMY) report, Digital Integrity 2022, the knowledge of your rights as a data subject according to the GDPR, is as low as it was in 2019.
We need to ensure that the solutions to the legal requirements of data privacy are sustainable, both financially and socially, and that we place the data subjects’ interest first. You can compare this with the customer protection where we talk about concerning investments. The individual may not have enough knowledge or awareness to protect their data, so the controllers and processors of personal data need to set up their business with personal data protection as top priority.
A sustainable approach to data privacy is essential in order to ensure financially efficient management with data privacy whilst protecting personal data and nurturing a sustainable social environment.
After five years of experience with GDPR, how do you recommend organisations embed the regulation efficiently?
From ongoing dialogues with DPO’s, we have learnt that less than half of the companies feel the organization work continuously and systematically with Data Privacy. In my opinion, to come to terms with this gap, you need to start with agreeing on roles and responsibilities within the organisation, just as with any other regulatory compliance efforts. It will not be supportive for your firm to have a DPO that knows exactly what they are doing if your customer service does not consider privacy matters correctly. Next step is to establish an efficient and customized framework including policies, guidelines and templates which should be of support throughout the organisation. Finally, targeted training of employees is imperative as it enables an understanding of their responsibilities internally as well as in relation to the end-customers and keeps the attention on the individual.
What is the future relationship between privacy and technology?
It can be assumed that there will be an increase in requests concerning data subject rights, complaints concerning integrity issues, etc. from the public going forward. Sort of a backlog if you will, that can put an administrative burden on the organisation. We can also see that there are several upcoming regulatory initiatives aimed to ensure that firms are keeping up with technological advancements. Fortunately, technological advancements also work in favour for our clients as it, correctly used, lessen the administrative burden, and supports the basic GDPR principle of accountability. Five years into the regulation we see some smart and user-friendly systems that help companies with the challenges of being GDPR compliant in a sustainable way. I am confident we will see more of these in the near future.
Another area concerning the relationship between privacy and technology is the development of tech solutions using open banking and artificial intelligence to collect information on individuals, prior to different engagements. This area involves many issues concerning integrity and a sustainable management is truly imperative going forward. This is a topic I am sure we will return to repeatedly over the next few years.
How will data privacy continue to evolve in the next five years?
Data Privacy is an area that will continue to grow and become more important to us all. New customer demands and behaviours will require prudence and adaptability in all firms. As a consequence, in order to work sustainable, the organisations need to be one step ahead, prioritising protection of the individual’s personal data and truly living up to the principle of accountability. Regardless of what type of action, we need to remember the reason the work is done to begin with – keeping personal data protected and creating sustainable privacy going forward.
5 Years of GDPR
May 25th, 2023, marks the five-year anniversary of the enforcement of GDPR. This spring we reflect and review on the first comprehensive privacy regulation in a series of publications and events. Stay tuned for insights and perspectives on expectations vs. realties of a sustainable privacy arena, the legal ecosystem of GDPR, the future role of tech and much more.