The 25th May marks four years since the introduction of GDPR – the landmark law which governs the way organisations operating within the EU can use, process and store consumers’ personal data. In this time, hefty GDPR fines have ensured that non-compliance is a costly mistake for both large and small businesses, with high-profile cases against the likes of British Airways, Marriott Hotels and Amazon dominating headlines.
Adding to this, the UK Government recently announced a new Data Reform Bill, which they claim will cut through the red tape surrounding data regulations, giving the UK’s data watchdog powers to take stronger action against firms who breach regulations. With all that in mind, Cyber Protection Magazine spoke to eight business leaders to get their insights on the changes GDPR has brought, as well as their speculations on the changes the new bill might bring.
Landmark legislation or damp squid?
When GDPR was first introduced, it was widely believed that it would change the landscape of data regulation forever. “Back in 2018 GDPR prompted significant discussion and self-reflection among organisations, but it’s fair to say its impact waned as the expected torrent of fines and penalties never really arrived,” argues Andy Swift, Technical Director of Offensive Security at Six Degrees. “Like all data enforcement regulations, resourcing and governance for GDPR have been challenging – which has led to some complacency creeping in.”
However, he adds, “this complacency shouldn’t last; since 2021 there has been a global uptick in penalties issued by data enforcement agencies.”
Others believe that the legislation never went far enough. Michael Queenan, CEO and Co-Founder at Nephos Technologies, points out: “Our personal data is anything but personal. Currently, the large corporations and government institutions that collect our personal data are responsible for using and selling it. Although GDPR introduced rules on how such organisations should handle and protect this data, it arguably did not go far enough as it does not specify exactly what businesses can and cannot do with their customers’ personal information. For individuals, therefore, there is a huge loss of control over their data.”
On the other hand, Kevin Kelly, Vice President & General Manager, Global Compliance Solutions at Skillsoft, believes that “GDPR has prompted significant improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data. One of the ideas behind GDPR was to assure consumers that their data will not fall into the wrong hands. For the most part, consumer data and privacy is now considered a top priority by leading companies.”
New legislation on the horizon
In the UK, the announcement of a new Data Reform Bill has made it clear that data regulation is set for another round of changes. “At the moment we are in the very early stages of this process and there is a lot of speculation over what the logistics of what the next few months may look like,’ states Richard Orange, Vice President EMEA at Exabeam.
‘However, we do know that it will be important to be able to regulate data sovereignty from country to country, as this may become a challenge. Regions across the UK will need to find commonality and work cohesively for any reforms to be effective.. The most important thing for the UK while moving forward with these reforms is to ensure that the new rules remain relevant, simple and measurable.”
Donnie MacColl, Director of EMEA Technical Services at HelpSystems, notes that; “There has been some concern around the impact of the UK’s potential divergence from European data protection standards, and what role the Data Reform Bill (referred to as “the Bill”) will play. That’s understandable given any legal/regulatory changes always have the potential to impact the way organisations can market themselves to people, for example.”
“In particular,” he adds, “concerns have been raised that organisations won’t be able to use personal data to optimise the sales process. While this is likely to become more challenging, there is a strong argument to say that, like GDPR, the emphasis must remain on keeping personal data more secure. The Bill seeks to strike a balance between data protection and the ease of doing business and that is to be welcomed.”
Jakub Lewandowski, Legal Director and Global Data Governance Officer at Commvault, cautions: “We are yet to see where the new data reform will lead us. GDPR and UK GDPR respectively introduced a lot of extremely useful concepts and mechanisms, most importantly they helped develop a common language to discuss privacy and data protection issues. As with any legislation with multiple stakeholders involved and affected, certain choices and priorities had to be made. Perhaps now is a good time for the UK to strike a better balance on some of the items. It would not be wise to throw the baby out with the bathwater.”
Staying compliant in a changing world
With new legislation set to come in in the UK, and GDPR remaining a key concern for any business which processes the data of EU citizens, it’s vital that organisations ensure that they remain compliant to avoid costly fines.
“As data privacy requirements continue to increase across the world, it’s imperative that organisations have total visibility into their regulated and sensitive data. By establishing effective data governance programs that can evolve with rapidly-changing requirements – in addition to ongoing cybersecurity awareness training – businesses can stay on top of regulations, as well as potential threats like ransomware,” explains Kris Lahiri, Co-Founder and Chief Security Officer at Egnyte.
Phil Dunlop, VP EMEA at Progress, explains that “some best practice GDPR compliance tips include: Ensuring that senders and receivers are authorised, with centralised control and visibility to all file transfer activities involving personal data. Centralised, tamper-evident audit logging ensures data can be trusted for accuracy. Securing personal data against internal and external threats, loss or damage is also critical, therefore automatic file integrity checking can validate that a file has not been altered. Having a robust GDPR-compliant framework in place will extend your cyber security practices, boosting customer trust and loyalty.”
Finally, Skillsoft’s Kelly provides some key questions for businesses to consider when reviewing their compliance policy:
- “Have you made it clear that your organisation is taking GDPR seriously? Raising awareness will help you to educate the entire organisation about procedural and operational directives – and ensure that your team has a clear understanding of your expectations regarding compliance.
- Have you suspended all non-compliant data collection? At this point, the answer should be a resounding “yes!” But also ensure that your organisation continues to put policies and procedures in place to allow the acquisition of legitimate consent – wherever and whenever data is being collected.
- Do you identify and log all current data? Without an understanding of what data you have collected from individuals, you cannot implement data handling and storage procedures that are genuinely effective. Make sure that you continue to perform audits of the data you are collecting for a complete understanding.
- Do you continuously review your data practices? Though you may be in compliance with GDPR now, it is imperative that you continue to review your data practices. Ask yourself if your current governance practices are sufficient enough to comply with GDPR. Especially pay close attention to overseas movement of data to ensure storage and processing remains on the right side of the law at all times.”
Whatever the future of data regulation looks like, businesses who have strong compliance programs which they regularly review are likely to stand in good stead.