GDPR – Four years on

Leaders reflect on the success of GDPR and the future of data protection in the UK.

25th of May marked the fourth anniversary of the enforcement deadline for full?GDPR?compliance. Since its introduction, we have seen organisations of all sizes take data protection more seriously in order

to remain compliant. As Kris Lahiri, Co-Founder and Chief Security Officer at Egnyte, reflects, ‘The four-year anniversary of GDPR’s enforcement reminds us of the importance of safeguarding mission-critical content amid rising cyberattacks and the shift in how unstructured data is accessed in today’s remote, hybrid work environment. It’s become increasingly difficult for organisations not only to manage their expanding volume of content but also to secure it effectively. If companies can’t see the full extent of their data, then they can’t properly govern it.’

With ongoing changes to the working environment, it is important that organisations continue to reflect on their data protection practices and educate themselves and their employees on how to stay compliant. Recent Skillsoft data show that businesses invested in GDPR compliance training between 2020 and 2021, with a 30% increase in learning hours as workers were forced to access and handle data remotely during the lockdown.

A data protector or a sleeping guard?

Throughout the four years since its implementation, there has been ongoing debate about the success of GDPR. On one hand, some praise the legislation for introducing a widespread requirement for corporations to be responsible with the customer data they hold. As Jakub Lewandowski, Legal Director and Global Data Governance Officer at Commvault, explains: ‘Four years on from when

the?EU’s data privacy and protection regulation came into effect, with the benefit of hindsight, it turns out the long- awaited regulation could have been just in time. Who knew a global pandemic was around the corner and that we were on the cusp of an explosion in data growth and acceleration of cloud- based business? Essentially, GDPR passed its first big test, as companies found they could agree on how to share responsibilities and shift workloads and business processes to the cloud.’

However, others are more critical of the regulation. Michael Queenan, CEO?and Co-Founder at Nephos Technologies, argues that despite the enforcement of GDPR, ‘our personal data is anything but personal. Currently, the large corporations and government institutions that collect our personal data are responsible for using and selling it. Although GDPR introduced rules on how such organisations should handle and protect this data, it arguably did not go far enough as it does not specify exactly what businesses can and cannot do with their customers’ personal information. For individuals, therefore, there is a huge loss of control over their data.’

Andy Swift, Technical Director of Offensive Security at Six Degrees, agrees that, although the initial implementation prompted much needed ‘discussion and self-reflection among organisations, it’s fair to say its impact waned as the expected torrent of fines and penalties never really arrived. Like all data enforcement regulations, resourcing and governance for GDPR have been challenging – which has led to some complacency creeping in. However, this complacency shouldn’t last; since 2021 there has been a global uptick in penalties issued by data enforcement agencies.’

Change on the horizon

Announced as part of the Queen’s speech at the state opening of Parliament at the beginning of May, the UK government is set to introduce the Data Reform Bill to reform the existing UK data protection regime, based on GDPR.

‘There has been some concern around the impact of the UK’s potential divergence from European data protection standards, and what role the Data Reform Bill will play,’ explains Donnie MacColl, Director of EMEA Technical Services at HelpSystems. ‘That’s understandable given any legal or regulatory changes always have the potential to impact the way organisations can market themselves to people, for example.

‘In particular, concerns have been raised that organisations won’t be able to use personal data to optimise the sales process. While this is likely to become more challenging, there is a strong argument to say that, like GDPR, the emphasis must remain on keeping personal data more secure. The bill seeks to strike a balance between data protection and the ease of doing business and that is to be welcomed.’

Commvault’s Jakub Lewandowski adds: ‘We are yet to see where the new data reform will lead us. GDPR and UK GDPR respectively introduced a lot of extremely useful concepts and mechanisms, most importantly they helped develop a common language to discuss privacy and data protection issues. As with any legislation with multiple stakeholders involved and affected, certain choices and priorities had to be made. Perhaps now is a good time for the UK to strike a better balance on some of the items.’

However, others remain less optimistic about what the change could mean. Nephos Technologies’ Michael Queenan anticipates that ‘getting more robust data privacy regulations in place will enable the UK to lead the way in this area and flourish in the future. However, my concern is that it looks like we may be going the other way and making the regulations more relaxed. I hope that such legislation protects the consumers – especially the most vulnerable. Whilst I recognise that it is a big ask, forbidding data profiling of under 18s is a crucial aspect of enforcing data privacy.’

Staying compliant as rules change

With the potential for the Data Reform Bill to transform how organisations handle and transfer data, it is important that business leaders are prepared for changing processes. In 2018,‘any company with a single European customer had to overhaul their data protection policies’, explains Jennifer Ortiz, Executive Vice President of Corporate Marketing at Progress.

The Data Reform Bill could lead to a similar requirement, only with added complications for those businesses operating in both the UK and the EU. Jennifer Ortiz continues: ‘Staying compliant with GDPR is an ongoing process, and organisations must continue to ensure that the privacy of their customers’ data is a top priority. It’s vital that businesses continuously assess their GDPR programmes and commit to continuous improvement.’

‘Though you may be in compliance with GDPR now, it is imperative that you continue to review your data practices,’ agrees Kevin Kelly, Vice President and General Manager, Global Compliance Solutions at Skillsoft. ‘Ask yourself if your current governance practices are sufficient to comply with GDPR. Especially, pay close attention to overseas movement of data to ensure storage and processing remains on the right side of the law at all times.’

He provides additional advice to ‘create or redesign your organisation’s literature to clearly communicate the rights of individuals when it comes to their personal data. Take every opportunity available to you to reiterate your commitment to protecting personal data,’ as well as recommending that ‘every organisation should appoint a data protection officer to ensure you are properly applying relevant laws protecting individuals’ personal data.’

While the Data Reform Bill promises that changes will be made, ultimately, no one can predict where the UK will stand in the next year with its data protection legislation. While we await more information, organisations should regularly monitor for updates to avoid being left behind or caught unaware by any changes. This will ensure that everyone is well prepared to adapt their strategies and be compliant with the new legislation, whenever that may become necessary.

Holly Benson?is editor of?governance and compliance