On 25th May 2018, the EU implemented the General Data Protection Regulation (GDPR); Robin Campbell-Burt discusses what’s changed 5 years later
On 25th May, the EU implemented the General Data Protection Regulation – shortened to GDPR – which ultimately changed the way we deal with data.
The European data protection law gives individuals more control over their personal information and enforces any company collecting the personal data of EU citizens to reframe how they think about data privacy. Ultimately, it forced organisations to make “privacy by design” paramount.
Failure to comply with the law can lead to severe consequences. GDPR gave the EU power to levy harsh fines against businesses that violate its privacy and security standards, with penalties reaching into the tens of millions of Euros.
Some of the largest companies in the world, including Apple, Amazon, British Airways, Google and Meta, have incurred significant penalties for failing to meet GDPR standards.
The influence of General Data Protection Regulation
The influence of GDPR has been so far-reaching that countries, including Japan, Brazil and South Korea, have all introduced their own data privacy law modelled on GDPR. In 2018, California adopted the Californian Consumer Privacy Act (CCPA), which had many similarities with the GDPR.
‘The European Commission is criticised for many things, but GDPR is the one thing where it can hold its head up high and say, ‘we’ve led the world in this”
“The European Commission is criticised for many things, but GDPR is the one thing where it can hold its head up high and say, ‘we’ve led the world in this’,” said Paul Brucciani, Cyber Security Advisor at WithSecure.
“As regulatory milestones go, it’s the equivalent of climbing Everest. And it seems to be working as other jurisdictions are following suit.”
Michael Covington, VP of Strategy at Jamf, also agrees on the impact and importance of GDPR.
“The EU’s GDPR has had a tremendous impact on how organisations around the globe handle personal user data since the regulation went into effect five years ago,” said Covington.
“The threat of substantial fines — including the almost €3 billion that have been levied since the regulation went into effect — has forced companies to take privacy and security more seriously. And the impact is not just contained within Europe; GDPR has inspired over 100 other regional privacy standards, including those in many of the individual US states.”
The fifth anniversary of GDPR is a perfect time to reflect
Now that we have arrived at the fifth anniversary of GDPR, it is a perfect time to reflect on what can be improved. Businesses and the cybersecurity industry shouldn’t just be asking themselves how they comply with GDPR but how they go above and beyond to ensure that data is secure and protected.
For some organisations, GDPR can be seen a bit like taking an exam. Instead of ensuring compliance and improving overall cyber resilience throughout the year, businesses are scrambling to ensure compliance just in time for quarterly or annual audits.
Sylvain Cortes, VP of Strategy at Hackuity, believes that organisations cannot continue this mad cycle of “exam cramming”.
Sylvain Cortes urges companies to test systems for compliance specifications
He urges companies to take the opportunity to test systems for compliance specifications, like those in GDPR article 32, to improve their overall cyber resilience.
“Compliance is essential, but we urge organisations to take the opportunity to think beyond baseline requirements to develop a culture of continuous cyber improvement,” said Cortes.
“It’s important to remember that achieving compliance shouldn’t be treated like ‘exam-cramming’ with last-ditch efforts to achieve annual or quarterly audits.”
Cortes also said that GDPR was not a one-off compliance tick box in 2018, and nor is it today: “The goal is to achieve more than the minimum requirements and move away from the tick-box mindset. GDPR compliance is necessary, but it is far from sufficient for modern organisations.”
AI is the biggest challenge facing the EU from a regulatory standpoint
Even though organisations are still facing plenty of the same challenges when it comes to GDPR compliance, there are new challenges as well. In 2018, terms such as generative AI, ChatGPT and biometrics were not even in the minds of people when GDPR was introduced; however, five years later, they are at the forefront of every conversation when it comes to technology and IT.
As organisations introduce these new technologies to the workplace, the importance of GDPR compliance does not waver. Brucciani believes the rise of AI is one of the biggest challenges facing the EU from a regulatory standpoint.
“Internet fragmentation, driven by the quest for digital power, is creating regulatory complexity, and the EU has an important role in leading the world through this,” said Brucciani.
“For example, AI is the next big field that will need regulating, and the EU has again made a head start on this with its proposed AI Act, a legal framework that is intended to be innovation-friendly, future-proof and resilient to disruption.”
Why standards in regulations are so important for trust in General Data Protection Regulation
Eduardo Azanza, CEO at Veridas, also argues that trust in new technology, such as biometrics, is built by ensuring that standards in regulations are met.
“With the rise of biometrics and AI, the focus on data protection and privacy has never been more important, said Azanza. “Questions should be asked of biometric companies to ensure they are following GDPR laws and are transparent in how data is stored and accessed.
Trust in biometric solutions must be based on transparency and compliance with legal, technical, and ethical standards. Only by doing this can we successfully transition to a world of biometrics that protects our fundamental right to data privacy.”
Ultimately, five years on from GDPR, many organisations still face plenty of challenges when it comes to compliance. However, regulations, such as GDPR, are essential. Organisations should not look to just comply with them but go above and beyond them.
When we see the rise of the likes of ChatGPT, our first question is always, ‘Is our data safe?’ Let’s not forget that GDPR is just as, or even more important now, than it was five years ago when the EU implemented the revolutionary law.
This piece was written and provided by Robin Campbell-Burt, CEO of Code Red.