GDPR one year on -- what have we learned and what happens next?
This weekend marks exactly a year since the introduction of the EU's GDPR legislation shook up the world of data protection and sent businesses around the world into a flurry of compliance activity.
So, what has the industry learned over the past year and what are the ongoing challenges we can expect to see? We've gathered the views of some industry experts.
It's clear that the introduction of GDPR has led to greater awareness when it comes to protecting personal information. Dr Gero Decker, CEO and co-founder of business transformation specialists Signavio, says, "A year on, businesses now understand what is expected of them, however the main challenge is the on-going compliance. Companies are not taking a sustainable approach to GDPR. Each and every employee throughout the business must adopt a rigorous mentality to protocol adherence, taking personal responsibility and collaborating intuitively to keep data up-to-date. It is vital to remember that those on the ground will determine a company's successful compliance."
This view is echoed by Rob Perry, data expert and VP of product marketing at information and systems management company ASG. "When GDPR went into effect in 2018, the IT community knew the impact would be massive, but over the past year, every industry has been brought into the loop, forced to understand what 'data privacy' actually means. The last twelve months highlighted to consumers the failures and roadblocks companies face when implementing a data protection strategy. For example, the regulation failed to consider how to handle privacy debt, which refers to the mass of personal data that companies had collected before GDPR, which now loom as a liability. Regulators charged minimal fines for tech giants -- like Google and Facebook -- that faced massive data breaches."
One of the notable features of the last year has been that the expected large fines for non-compliance have largely failed to materialize. "Despite the seeming lack of huge penalties, as data protection authorities pick up pace, truly monstrous GDPR fines are likely to soon follow. It is therefore critical that businesses continue the momentum, and recognise that the legislation is only ramping up," says Ilkka Turunen, global director solutions architecture at DevOps automation company Sonatype. "That's not to say that GDPR hasn't been influential. It has fuelled a new culture of talking about breaches and how to fix them rather than sweeping them under the rug, which is undoubtedly a good thing."
Raj Rajamani, VP of Products at storage specialist Cohesity also thinks we'll see less leniency in future, "One year later, the leniency period for compliance is over for GDPR, and organizations must ensure that they continually evaluate their current readiness by knowing where all of their data resides, processing it in compliance with regulations and laws, controlling access to it and making sure it’s protected against both internal and external threats. Regulation is not a matter of picking and choosing, and organizations must comply with each and every rule in order to build consumer confidence and trust in their brand."
Interestingly a survey unveiled this week by TrustArc reveals that 36 percent of adults aged 16–75 trust companies and organisations with their personal data more since GDPR came into effect. "The research tells a tale of two reactions regarding the impact of the GDPR on consumer privacy attitudes. On a positive note, more than one third of the respondents we questioned trust companies and organisations with their personal data more since GDPR came into effect one year ago, and there is also favorable feedback on enforcement efforts," says Chris Babel, CEO of TrustArc. "But companies should not interpret this to mean that their work is complete. Providing more transparent ways to demonstrate GDPR compliance and ensuring they respond to privacy rights requests in a timely manner will go a long way toward further improving consumer trust and increasing website use and online purchasing."
So, where do we go forward from here? "Organisations need a 360-degree view of their data and must implement governance strategies to maximise the reach of their data assets whilst staying compliant," says Myke Lyons, CISO at data intelligence specialist, Collibra. "Herein lies the need for a fused macro and micro mindset -- business leaders must gain maximum visibility into how data is being used at every level within their organisations, whilst also understanding that updating metadata in real-time can improve its reliability and trustworthiness. In order to build a long-term, GDPR-compliant data strategy, businesses need to think big picture and not get tangled in the weeds of procedure."
Joseph Carson, chief security scientist and advisory CISO at privileged access management company Thycotic, believes that legislators can't afford to stand still either, "The GDPR is only the first step in helping regain control of personal information and the EU needs to continue improving. GDPR has been the founding regulation that other governments around the world are using as the standard for their own versions. For example, as the California Data Privacy Protection act, while not as strict, it is setting the new direction for protecting personal information and many others are following."
Overall then it seems clear that GDPR has been successful in raising awareness of privacy issues. But it's also clear that as other regions bring in similar rules this is merely the beginning of a new privacy-focused era.