GDPR Celebrates Second Birthday

Looking back over the last several years, the privacy world has certainly changed.  As some of you know, the GDPR celebrated its second birthday on May 25th, and privacy ideas and awareness has changed.

Let’s first look back to privacy pre-GDPR--back to 2014, when the Pew Research Center did a study to discover if respondents knew what a privacy policy really was.   The results were interesting, as 52% believed that a company posting a privacy policy actually ensured the company kept data that they collected completely confidential, when in reality, a privacy policy is really just a legal statement regarding what data is collected, why it’s collected, how that is data disclosed, including to third parties, etc.

That study was conducted six years ago now, but privacy awareness and data protection have certainly intensified since the GDPR became effective in 2018, with countries all over the world following the example of the new, higher standard. For example, Barbados passed their first data protection act also in 2018, and Uganda passed their Data Protection and Privacy Act in 2019—legislation that operationalizes Article 27 of the Constitution of the Republic of Uganda, 1995 and also marked the first East African country to recognize privacy of personal data.  Not to be outdone, the U.S. now has in place the most comprehensive privacy law that the country has seen to date with the CCPA.  Moreover, as of today, eighteen individual states followed suit with their own proposed data protection laws in place, including Nevada with the introduction of SB 220 into law in 2019.

"The GDPR has provided a blueprint that the rest of the world is adapting to their culture through regulation"

Given the timing, it’s plausible to wonder if this increase in awareness of privacy and data protection has been the result of the GDPR. We asked Michael Muha, the Chief Information Security and Privacy Officer for Workforce Software, LLC, and he says, “the GDPR has forced us to increase the maturity and accountability of many processes such as third-party risk management, product management, and simple visibility into the data assets we have.  The GDPR has provided a blueprint that the rest of the world is adapting to their culture through regulation.”

Regarding a shift in the focus on privacy, such a sentiment proves true across the industry as well--PWC did a recent survey on data privacy in 2020, and the results found that 44% of CEOs rank their data privacy policies as one of the top three most impactful to their business.   In their own study that included 2800 professionals in 13 countries earlier this year, Cisco found that, in fact, individuals view a company’s handling of personal information as part of their brand, demonstrating that consumers are asking more questions about how their data is handled, who else has access to their data, and how they can opt-out.   Cisco also found that 82% of organizations believe that privacy certifications such as ISO 27001/27701 and APEC Privacy have become a significant buying factor when considering different compliance vendors.

At Workforce Software, Michael Muha agrees that GDPR compliance keeps customers happy.  He says that, “interestingly, our GDPR compliance activities have given us a head start in complying with newer regulations such as the California Consumer Privacy Act or Mexico’s Federal Law for the Protection of Personal Information in Possession of Individuals. As a Data Processor for our customers, we support them in their compliance activities to ease their concerns.  The audits can validate how we are doing, as well as force us to keep more detailed records of our privacy activities.  We now have privacy metrics, particularly around things we do to keep customers happy, including tracking whenever a prospect asks privacy-related questions.”

The shift in privacy has greater business benefits as well. Mr. Muha says that “privacy provides two opportunities for us. First, it’s smoothing out the sales process. We can provide assurance to our customers around our privacy practices, and privacy is not a barrier to the sales process. Second, we can monetize privacy by building advanced features in our products that either help customers comply or allow them to be more efficient in how they comply.”

"privacy expectations will continue to increase"

And while GDPR may have kicked off this new focus on privacy, what does the future hold?  Current events have raised their own unique questions, as protection of privacy during this pandemic is and will remain a big challenge, but even after society return to relative normalcy, some questions will persist.  Michael Muha says, “privacy expectations will continue to increase! Data subjects will exercise their rights more, business will need to respond faster, and supervisory authorities will demand better evidence of compliance.”  Regarding such, there are two main challenges concerning the GDPR and compliance according to Michael: “Every year, you must up your game around demonstrating that processing is performed in accordance with the regulation. This means shoring up weaknesses in your privacy program and finding innovative ways to show compliance while remaining cost effective.”

The key in dealing with those challenges around increasing privacy concerns starts with the establishment of a thorough program with qualified and educated professionals. Mr. Muha expresses that “if the privacy program rests on a single person, and that person leaves, the program can fail.  Proper documentation of processing and procedures and cross-training of staff becomes critical.  With limited resources, you must prioritize what’s important.” Most companies appear to feel the same, as the increase in awareness of personal data has also provided a boost to the privacy job market.  Even in the wake of so many job losses as a result of the current pandemic, 72% of privacy departments are not seeing any layoffs and 81% don’t expect much of a change in their privacy spending.

But whether or not the GDPR is responsible for this kickstart to both regulation and employability, the increase in privacy awareness looks to only persist.  With so much movement over the last several years, the world of privacy should continue to evolve and gather steam, making it an interesting possible avenue for anyone starting their career or someone looking for a change.

About the Authors

Debbie is Principal and co-owner at Schellman & Company.  She began her career in 2000 while working at Arthur Andersen in their Technology Risk Assurance practice.  Debbie now leads the Midwest Region along with the Privacy, SOC 2 and SOC 3 service lines and is also on the AICPA’s SOC Specialist Task Force. She is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee.  She also served on the AICPA’s Advanced SOC for Service Organizations Certificate Task Force.

Mike Muha (PH.D., CISSP, CISM, CRISC, CIPP/E, CIPM, Certified GDPR Practitioner) is Chief Information Security and Privacy Officer for WorkForce Software, a SaaS-provider of workforce management software. He’s responsible for WorkForce’s global security and privacy programs plus IT audit and compliance.

About the Author

Schellman Compliance

Schellman is a leading global provider of attestation, compliance, and certification services. Operating as an alternative practice structure as Schellman & Company, LLC, a top 100 CPA firm, and Schellman Compliance, LLC, a globally accredited compliance assessment firm, we are able to offer clients services as a CPA firm, an ISO Certification Body, a PCI Qualified Security Assessor Company, a HITRUST assessor, a FedRAMP 3PAO, and as one of the first CMMC Authorized C3PAOs. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Schellman's approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives using a single third-party assessor. For more information, please visit

More Content by Schellman Compliance
Previous Article
HIPAA Settlements Hold Lessons on Right of Access, Breach Reporting
HIPAA Settlements Hold Lessons on Right of Access, Breach Reporting

The Office for Civil Rights (OCR) recently announced two HIPAA settlements that offer lessons for covered e...

Next Article
Schellman Stories: Fatherhood of Audit
Schellman Stories: Fatherhood of Audit

In honor of Father's Day, Schellman's Matt Dougher shares his story of how he and daughter Barrett draw det...


First Name
Error - something went wrong!