Five years have passed since the advent of GDPR regulations. EU regulators have been picking up on violations and issuing billions of euros in penalties for non-compliance and data breaches ever since, but society has changed, technology has developed, and new challenges have emerged within that time.
On its five-year anniversary, business leaders are looking back on how GDPR has impacted the world and the challenges that leaders face today.
Penalties and non-compliance
Data authorities have been hot on the tails of corporations for non-compliance and data breaches over the years, issuing massive fines and strict guidelines. With the ever-growing volume of sensitive data, Gary Lynam, Director of Customer Success, EMEA at Protecht, believes consequences inevitably increase too: “The escalation of fines and penalties issued under the General Data Protection Regulation (GDPR) over 5 years reaching close to $3bn can largely be attributed to the tremendous increase in the volume of data organisations have to collect, protect, and process year on year. However, the complexity of data processing is a big factor here too.
“A total of 1,446 fines have been issued since 2018 all varying in amount and addressing different sized companies and violations. Statistically, the violations with the most fines are related to data processing non-compliance and let’s face it, with the likes of TikTok, British Airways and Ticketmaster being among the prominent names to have received fines, GDPR is clearly by no means a simple tick box process.”
Celerway’s Chief Revenue Officer, Hubert Da Costa, adds, “The CMS.Law GDPR Enforcement Tracker indicates that the number of fines and penalties issued under the General Data Protection Regulation (GDPR) has increased since its inception five years ago. During this time, the volume and complexity of data organisations collect, process and store has continued upward.
“Companies should take stock and consider much more broadly how their organisation is approaching data security. Take remote and field workers, for example. Since remote working has become commonplace, many employees frequently connect to corporate networks and work with sensitive customer data on the go without a practical and secure connectivity method. In addition, workers commonly access corporate resources through unsecured networks (such as public WiFi, home networks or personal device tethering), presenting a significant risk to data security and compliance.”
Larry Whiteside Jr., CISO of RegScale, views the GDPR as a game changer, hinting to similar regulations being put into effect, from the California Consumer Privacy Act of 2018 (CCPA) to the Personal Information Protection and Electronic Documents Act (PIPEDA). And that’s not the end of the story: “There is currently a Data Protection and Digital Information Bill, which had its first reading in May 2022, that seems to be stuck. This new bill seeks to simplify GDPR and make it more agile to adapt to the needs of organizations trying to create data privacy policies and architectures that enable them to meet the specific controls of GDPR.
As we look forward, we should pay close attention to the EU-US Data Privacy Framework and the impact it will have on transmitting data into and out of the EU. This will make transferring data between countries a lot easier and potentially more clear as it relates to GDPR and the related controls.”
With the emergence of artificial intelligence, Whiteside also notes that GDPR has new challenges to face in order to remain strong and reliable. “Additionally, in an effort to combat the risks being introduced due to the AI phenomenon, there is work that is being looked at to identify the intersection between the Artificial Intelligence Act (AI Act) and GDPR. The outcome could be very interesting in how organizations meet GDPR as it relates to privacy data and artificial intelligence.”
GDPR and AI
Vicky Withey, Head of Compliance at Node4, sees the risks that AI imposes on data protection. “With so much personal data being collected, processed, and stored, the potential risk for data breaches is significantly increased. By granting AI access to this data, it also increases the risk of personal data being manipulated to create fake identities for cybercriminals. To balance out any risk, new data protection legislation reform must take place to ensure the security of personal data.”
Commvault’s Global Data Governance Officer, Jakub Lewandowski, believes GDPR has endured time and remains relevant. “Despite all the technological developments within the last five years – facial recognition, virtual reality, and AI, to name just a few – GDPR has stood the test of time. Yet, in the present day, the sudden rise of Generative AI and Large Language Models (LLMs), like ChatGPT, has led to renewed conversations about data privacy.
“But rest assured that, as a framework of data protection impact assessments that considers the rights of individuals, GDPR’s mechanisms can also be applied to the use of LLMs, at least for the time being.”
George Gerchow, IANS Faculty and CSO and SVP of IT at Sumo Logic considers the GDPR a moving target in light of new technologies: “As new technologies such as artificial intelligence and the Internet of Things become more prevalent, there will be a need to assess their impact on data protection and privacy. The European Data Protection Board (EDPB) is expected to provide guidance on the application of GDPR to these technologies. The European Union is also working on a new ePrivacy Regulation, which will complement GDPR by providing specific rules on the use of electronic communications data. The regulation is expected to be finalized and adopted in the near future.
Overall, GDPR is likely to continue to evolve and adapt to new challenges in the coming years, with a focus on protecting individuals’ privacy and personal data in an increasingly data-driven world.”
UK government playing catch-up
It is important that regulations acknowledge changes in technology and ensure that businesses can comply with data protection rules, especially where the GDPR itself does not apply, like the UK.
“The UK government’s decision to replace GDPR with its own British Data Protection Bill businesses will lead to a new wave of regulations and policies businesses must adhere to”, explains Drata’s Director of Compliance, Alev Viggio.
“The challenge here is that many businesses will still have to adhere to EU GDPR and this new system pending their customer base – this can create confusion and complexities in any compliance programme, especially when considering the consequences of fines and violations if they fall out of compliance.”
Node4’s Vicky Withey sees the benefits of a more tailored approach to GDPR and the opportunities available to a post-Brexit United Kingdom. “Since Brexit, the UK continues to follow GDPR; however, this is all up for change. As the Government now has the opportunity to tailor legislation that is focused within specific market sectors, potential reforms can help organisations to achieve their goals where GDPR has been too restrictive, preventing growth and prosperity.
“The UK must ensure that any changes in legislation are approved by the EU to meet ‘adequacy’ requirements, whilst the safe transfer of data between countries will help with technology advancement and medical research. Still, it will also consider that data protection standards vary globally, and as a result, plans to introduce a Data Protection Reform Bill will be eagerly anticipated by organisations, legal and compliance bodies alike.”
Driving positive change
In Commvault’s Jakub Lewandowski’s words, “Whilst only five years old, GDPR is already the grandad of data regulation in the modern age: established and dependable, although not yet outdated.”
Reflecting on the past 5 years of GDPR, Paul Trulove, CEO of SecureAuth, sees the GDPR has a huge step forward for dealing with personal data: “Consumer privacy has been a huge concern since the dawn of the internet. Aside from the obvious security concerns, people started to realize that their personal information was a commodity that was being monetized and exploited by large corporations (sometimes of dubious integrity). GDPR was the first truly wide-reaching attempt to codify and enforce consumers’ (and employees’) rights to privacy.
When it launched, most companies were scratching their heads about how to comply – or even if they needed to comply. GDPR was seen as a significant barrier to doing business in the European Union, the United Kingdom, and other geographies that had adopted GDPR-style legislation. However, over the last few years, GDPR has become a standard – and has changed the way companies talk about privacy. Thanks to GDPR, consumer and employee privacy protections have been normalized throughout the global corporate world.
Alastair Parr, SVP of Global Products & Delivery, Prevalent Inc., agrees: “As it celebrates its fifth year driving positive change, GDPR continues its treatment of privacy as a core requirement. We see that organizations are beginning to see data privacy obligations as a global expectation, not just a requirement of their EU operations. For example, CCPA, the DPA 2018, and PIPEDA all bear a strong similarity to GDPR, reinforcing the perception that it set the precedent for what good data protection practice looks like for consumers and businesses alike.”
While times have changed since GDPR was introduced 5 years ago, the framework has been beneficial and remains a strong asset in the fight against data breaches, though, 5 years on, developments are inevitable.