4th GDPR anniversary: Expert opinions on its impact, four years on

May 25th marks the fourth anniversary of the implementation of the General Data Protection Regulation (GDPR). To commemorate the occasion, we spoke to a range of experts about GDPR’s impact on businesses.

Andy Teichholz, Global Industry Strategist, Compliance & Legal, OpenText:

“As we mark the fourth anniversary of the GDPR, organisations are facing a more knowledgeable, confident, and powerful world community demanding greater transparency in terms of how their personal data is used and expecting organisations to be held accountable for their behaviour. Last year, not only did we see a significant increase in the number of GDPR fines, but we witnessed the biggest one to date with many of these fines focused on punishing organisations that seem to present ambiguity or lack transparency in processing and communicating decisions with their customers.

Reputational management – maintaining a happy customer base – is driving boardroom discussions and forcing organisations to identify a new data privacy strategy beyond regulatory compliance risks. Consumers demand integrity and truthfulness regarding how personal data is processed and used. Customers demand control and are not reticent to exercise their rights to delete or request copies of any personal data that has been processed.

For many organisations, fulfilling such requests is incredibly time consuming, is often still a manual process and – as many organisations have internal silos – even locating all available data is an undertaking. With a focus on brand reputation and retaining customer loyalty, organisations are looking to innovation and automation to manage these challenges and as a source of competitive advantage. Gaining trust is so dependent on delivering a consistently great customer experience that effective communication of personal data policies, practices, and any breaches as well as a streamlined Subject Rights Requests (SRR) management process must be top of mind. Organisations that foster an integrated, data-centric approach to privacy management – leveraging data discovery and classification tools, risk mapping and data management platforms with strong retention capabilities – will be in the best position to execute on these priorities. This will earn individual trust and retain the right of custodianship of customers’ personal data as well as differentiate themselves in the marketplace.”

Michelle Correia, General Counsel, GWI:

“The GDPR set a precedent for data privacy, and now, four years on, we’re seeing brands step up their privacy policies and consumers increasingly taking note of their privacy controls. Whether they’re aware of it or not, everyone is now a data expert – from reviewing cookie pop-ups or signing up to a mailing list, we’re all growing to be more conscious of how companies are using this data.

The impact of this on brands is huge and shouldn’t be underestimated. Our research shows people are still reluctant to trust brands with their personal data, and so marketers need to demonstrate that their brand’s data is clean and compliant with data protection regulations. Transparency is key – more than half of the UK are looking for a clear understanding of how their data will be used – if brands are to earn their trust.”

Gee Rittenhouse, CEO, Skyhigh Security:

“Four years ago, a milestone was achieved with the introduction of the General Data Protection Regulation (GDPR). This was a major step forward for both privacy as well as data security. With today’s anniversary, it is a good opportunity to remind ourselves of the importance of data protection and the processes we can take to be one step ahead.

The law states that businesses must handle data securely by implementing “appropriate technical and organisational measures”. One way organisations can comply with this regulation, is by ensuring the implementation of multi-factor authentication. Simply having a username and password is no longer enough; we need to move beyond this to adopt a more secure approach to user verification.

Once a user has verified themself, they must only have the minimum level of access necessary for their day-to-day business. This is the foundation for a Zero Trust framework. Organisations should adopt this framework across their entire enterprise. However, we can do better. Most Zero Trust frameworks focus on data access but an organisation would do well to extend this beyond access to data usage.

By putting these security measures in place, organisations are not only complying with GDPR but are using techniques that are well suited for today’s hybrid workforce where users want access to data from anywhere, on any device, and on any platform.”

Camilla Winlo, Head of Data Privacy, Gemserv:

“As the GDPR turns four, it’s interesting to reflect on how well the regulation has kept pace with emerging technologies like AI. AI has the potential to transform the way we live and work, but organisations are still grappling with how to put it into practice. Lack of understanding around the implementation of AI is discouraging some organisations from developing potentially beneficial solutions, while others set their development back by failing to fully consider data protection requirements early enough.

One of the biggest challenges organisations face is collecting informed consent, and it can also be difficult to fully understand the risks associated with a processing activity and the ways individuals will react to AI-driven outcomes. When data protection rules are difficult to apply in practice, organisations can fall into the trap of believing that avoiding them is a pragmatic approach. However, this is a lot riskier than it may first appear.

The ICO, for example, has just announced a fine of over £7.5m against Clearview AI, a company that makes AI facial recognition software. That fine was levied following a joint operation with the Australian regulator and the ICO is also liaising with EU regulators. Clearview AI no longer operates in the UK and is likely to suffer other commercial consequences as the regulatory action and surrounding publicity continues. These impacts would not have happened if it had followed a proper data protection by design and default approach from the start.”

Peter Reeve, VP Northern EMEA, Confluent:

“Over the last few years, GDPR compliance has become imperative to all businesses. However, questions arise around what the future looks like, particularly as the government announced the Data Reform Bill, which is set to reform the UK’s data protection regime.

With data becoming increasingly more important and widely used, businesses must comply with regulations that protect customers’ data. Simultaneously they must ensure that users are informed and consciously consent to the processing of their personal data and that the information they have on the use of this data is completely up to date.

As more and more businesses become fully digital, companies seek to gain their hyper-vigilant customers’ trust, while keeping up with technological and regulatory updates, building a solid team and consistently communicating about their data hygiene practices to keep earning their trust.

Trust is the most important currency, and getting data sovereignty laws right is the first step for businesses that want to mix or contextualise different data types to level up their business. Ultimately, nailing these elements down will help businesses acquire the clean data required to unlock new revenue streams.”

James Walker, CEO, Rightly:

“GDPR is often cited as the strongest and most comprehensive data protection law in the world and in history, yet four years on there are still massive question marks over how successful it has been. We’re still seeing businesses exploiting loopholes in GDPR, and when companies are found to be in breach of these laws, the industry regulator – the ICO – has been largely toothless in taking any action.

It simply does not do enough to protect the public from scammers or online harm, and its flaws continue to expose consumers to bad actors. The public’s lack of understanding of GDPR is also problematic – our research found that just 39% of consumers actually understand the term, meaning they likely have no idea how their data is used once it leaves their hands. In fact, data privacy as a whole is something that still perplexes the majority of consumers, with 54% feeling confused about the subject and do not understand what GDPR does for them. There remains a huge amount of education to be done.

The upcoming Data Reform Bill recently announced in the Queen’s Speech will be an important step in the right direction in ending the murky practices of data brokers. Such brokers style themselves as “marketing service providers”, but they ultimately profit from illegally selling people’s private and deeply personal information, making further legislation essential. The bill needs to outline how it will crack down on such illegal practices and how it will hold companies accountable for data misuse, so consumers can have confidence in the legislation and laws that are there to protect them. If not, the public will continue to be exposed to inexcusable financial risk.”