Five years of GDPR: data regulation in an ever-changing world

Five years of GDPR: data regulation in an ever-changing world

This year, the General Data Protection Regulation (GDPR) celebrated its fifth birthday. Its introduction back in 2018 caused a huge shift in business practices around data and forced organisations to make data protection a part of their day-to-day. Half a decade later and the challenge continues to evolve. The UK’s British Data Protection Bill – still in its infancy – promises to bring a new set of regulations that businesses will have to navigate. At the same time, new technologies such as generative AI, are presenting an additional complication. With that in mind, seven business leaders share their reflections on the last five years of GDPR, as well as what the future might hold.

The data protection revolution

While GDPR may not be perfect legislation, there is no denying that it has brought about a landmark change in how businesses collect, process and store personal data. Its impact spread beyond the EU, where it was introduced, with almost eight in ten US organisations taking steps to become GDPR compliant.

However, complying with the regulations hasn’t been a simple or easy journey for most businesses. Gary Lynam, Director of Customer Success, EMEA, Protecht, said: “A total of 1,446 fines have been issued since 2018, all varying in amount and addressing different sized companies and violations. Statistically, the violations with the most fines are related to data processing non-compliance and let’s face it, with the likes of TikTok, British Airways and Ticketmaster being among the prominent names to have received fines, GDPR is clearly by no means a simple tick box process.”

In fact, the consequences for non-compliance may even be getting larger. “ICO [Information Commissioner’s Office] fines have risen in frequency and cost over the past five years, brand damage for breaches is now understood and class action-style lawsuits are becoming possible in the UK,” explained Richard Starnes, Cybersecurity Strategy Director, Six Degrees. However, he added a note of caution: “This can have the consequence of causing companies to raise their data protection capabilities, but there is also an incentive to report breaches less frequently or at all. Let us not forget the recent case of the former Chief Security Officer (CSO) of Uber who was convicted of US Federal charges for covering up a data breach involving millions of user records.”

Hubert Da Costa, Chief Revenue Officer, Celerway, believes that ‘the international focus on protecting consumer data has become much sharper over the last five years’. However, he argues that organisations still have further to go: “As we mark the fifth anniversary of the GDPR, companies should take stock and consider much more broadly how their organisation is approaching data security. Take remote and field workers, for example.

“Since remote working has become commonplace, many employees frequently connect to corporate networks and work with sensitive customer data on the go without a practical and secure connectivity method. In addition, workers commonly access corporate resources through unsecured networks (such as public Wi-Fi, home networks or personal device tethering), presenting a significant risk to data security and compliance.

“We have come a long way in both regulating and protecting the use of personal data. However, as working practices evolve, organisations must remember that data protection is not static. And creating a secure connection for remote workers – from those working at home to field engineers – is a vital step many organisations have yet to take.”

A post-brexit future

The UK’s new Data Reform Bill seems likely to bring significant change to the UK’s data regulation standards. Alev Viggio, Director of Compliance, Drata, points out that this may cause an additional compliance headache for businesses. “The UK government’s decision to replace GDPR with its own British Data Protection Bill will lead to a new wave of regulations and policies businesses must adhere to,” she explained. “The challenge here is that many businesses will still have to adhere to EU GDPR and this new system pending their customer base – this can create confusion and complexities in any compliance programme, especially when considering the consequences of fines and violations if they fall out of compliance. Managing this manually facilitates the chances of human error, so adopting a continuous compliance approach via automation can vastly simplify the process for following data protection rules and understanding the overlap between various regulations to avoid redundancies.”

However, others point to the potential benefits of new legislation. “As the government now has the opportunity to tailor legislation that is focused within specific market sectors, potential reforms can help organisations to achieve their goals where GDPR has been too restrictive, preventing growth and prosperity,” explained Vicky Withey, Head of Compliance, Node4.

She added: “The UK government understands the importance of protecting privacy rights to maintain the free flow of personal data across the EU. Still, it will also consider that data protection standards vary globally, and as a result, plans to introduce a Data Protection Reform Bill will be eagerly anticipated by organisations, legal and compliance bodies alike.”

Data protection in the world of AI

Whatever the legislation, it’s clear that a new challenge is dawning in the form of fast evolving technologies such as AI. Existing regulations have already begun to adapt to suit the needs.

Asha Palmer, SVP Compliance Solutions, Skillsoft, points out that in many ways, GDPR has been able to adapt to deal with AI. She noted: “Because of GDPR, regulators have collected more than €80 million in AI-related fines alone. Its strict regulations has many companies now considering best practices for making AI GDPR compliant.”

However, she added: “As generative AI tools such as ChatGPT take the world by storm, organisations need to develop and update governance around its usage in the workplace, considering the security, privacy, confidentiality and ethical implications.

“Creating a holistic generative AI governance structure that is sustainable, trustworthy and transparent will require shared accountability between those developing the tool and those using it. All stakeholders must come together to understand the risks and consider what protocols are, or should be, put in place to ensure GDPR compliance.”

Jakub Lewandowski, Global Data Governance Officer, Commvault, agreed. He said: “With LLMs set to revolutionise the world, we can expect to see additional legislation to regulate its use and ensure data continues to be protected.”

He concluded: “The UK Data Protection and Digital Information Bill (DPDI Bill), that will ultimately replace UK GDPR, is already more extensive in its regulations around automated decision-making, while an AI Act has already been proposed in the EU too. Luckily, the experience that privacy professionals gained through building and implementing GDPR frameworks will be a great starting place when the time comes to undertake a similar process with AI.”

Browse our latest issue

Intelligent CXO

View Magazine Archive