Keeping a team aligned isn’t easy. Not every meeting can possibly include every single team member, and updating a multitude of Notion pages with all the details regarding every discussion is an entire project in itself. The data that informs decisions is shared to separate groups of people, many of which don’t necessarily work closely together.
While there may still be the occasional team that handles everything themselves, most software products are made up of a variety of services from different vendors. From data storage to customer management, third party data processors are a nearly unavoidable part of any organization.
The GDPR recently marked its three-year anniversary, but one aspect of compliance for many companies is much older. Standard contractual clauses (SCCs), the mechanisms that most international organizations used to legally transfer data between the European Economic Area (EEA) and third party countries—like the US—are over a decade old. For organizations moving data in and out of the EEA, the last few years have been complicated.
When it comes to GDPR compliance, contracts are some of the most powerful tools you have to show to regulators. They allow you to receive legal guarantees from your service providers and third parties that protect you from liability in the event of a breach in compliance. You aren’t off the hook for everything, but at the very least you won’t be liable for negligence.
When Apple released their privacy nutrition labels, it was seen as a key turning point in platform-level privacy. Even so, while Apple holds control of mobile device profits and industry mind share, they do not account for the majority of mobile devices globally—especially in developing countries. The iPhone is expensive, and therefor any of its privacy protections become a benefit only to those that can afford their devices.
The Irish High Court, Ireland's data privacy watchdog, has won a legal fight over Facebook's data flows between the EU and the US. When the EU-US Privacy Shield was ruled insufficient in protecting the privacy of EU data subjects last year, many companies were left in an uncomfortable state of limbo waiting. Any organization moving data about EU residents from the EU to the US has been in the dark on whether they were still in compliance.
This year has already seen over 100 GDPR non-compliance decisions. Mostly limited to regional companies, but a few have made larger news. The latest company poised to be fined is Disqus. Disqus is a commenting platform that companies can embed in their sites or applications to allow visitors to leave comments on individual articles or pages. Norway's data protection authority has notified Disqus that they intend to issue a non-compliance fine of NOK 250,000,000 (about EUR 2,500,000).
Data breaches are big news. They come with a major hit to the trust customers have with a business, and even parts of the world that don't have data privacy laws will often have some form of data breach law. It might be surprising though, for those focused on GDPR, that data breaches don't account for the greatest number, and greatest monetary value, of GDPR fines.
Data privacy regulation has made great steps toward protecting the privacy of people using web products, but it has come with user experience friction. Consent and disclosure banners are a solution for compliance, but they are not elegant. Browser makers, the W3C, and a group of participating organizations are working to fix that. The first step is a proposal called Global Privacy Control (GPC).
