GDPR is Three Years Old!

With all that’s changed in the world, the arrival of the third anniversary of the General Data Protection regulation may seem trivial, even irrelevant. But dismissing it would be a mistake. This is actually an opportune moment to take stock of what effect it’s had on data protection and whether your organization has managed to keep pace with change to ensure it continues to be compliant. That’s especially important in the wake of a year when the way we all worked changed so fundamentally. The mass working-from-home experiment revealed a host of data protection dangers and duties.

GDPR was never a one-time thing

Think back to the run up to the implementation of GDPR. You were probably bombarded with messages urging you to prepare for the coming of the new Regulation – capital R. This was no unassuming directive; it was an enforceable law which carried heavy fines with it. No doubt you were warned that your organisation could be fined up to 4% of global turnover. You had to be ready to provide information to potentially millions of ordinary people seeking to check your records to ensure that the data you processed, stored, and accessed was accurate.

Most importantly, you had to do the hard yards of understanding all the intricacies of GDPR itself (not surprisingly it is a complex Regulation), you needed to identify and document all the personal data you held (about customers, employees, suppliers etc,) and make sure that you knew where all that data was stored (on both legacy and new technology). Then you have to review you data governance, check consent procedures, put in place people (internal or external) to do that work and then keep ahead of all the new data flowing into (and out of) your business.

There have been attempts to quantify how much it has cost to do all of those things and the figures vary wildly. What’s clear is that there has been a greater reliance on third parties and data experts, with billions being spent across all sectors in the run up to, and immediately after the magic date of 25th May 2018. But it’s important to remember that GDPR is not a one-time thing: it’s for life.

GDPR has set the data protection standard

By all accounts, GDPR has been a success. As The Economist pointed out recently, Europe might not have any tech giants to rival those of the USA and China, but they have cornered the market in data protection regulation. And because Europe as a whole has over 500 million consumers, the likes of Facebook and Google can’t ring-fence their operations to try and do things differently here. That means they’ve adapted their data rules to match GDPR. It has become the de facto global standard. The California Consumer Privacy Act passed a month after GDPR, for instance, mirrors much of what the EU demands.

Part of the reason it’s worked so well is that there have been high profile fines which have concentrated corporate minds. The breach of British Airways’ systems not long after the arrival of GDPR grabbed the headlines. Millions of customers were worried that their personal data – as well as credit card numbers – had been stolen. The Marriott Group of hotels suffered a similar breach. Big fines made the headlines worse for both those companies – £183m for the airline, and £100m for the hotelier. Both were subsequently reduced considerably due to the fact that the pandemic ruined their revenue streams.

What became clear, though, was that GDPR is a serious threat. It might still be evolving in terms of enforcing sanctions, but it is now an established a benchmark for global data protection law and practice. The point is to ensure that you don’t get caught out because you didn’t keep up.

An anniversary is a good time to reflect

Anniversaries are times for celebration, reflection, and making new resolutions. Perhaps we’re not celebrating GDPR – it’s a reality, we have to deal with it – but we are most definitely reflecting on what to do now and how to move forward with greater resolve.

You invested time, effort, and funds in getting ready for GDPR, now’s the time to ensure that those firm foundations remain strong. It’s important to keep up to date with the way you’re using technologies like cloud, big data, IoT, and mobile computing. How do they impact you collection, processing, storage, and access personal data? Has anything changed since 2018 – especially during the past 12 months? Did the move to mass working from home open up new vulnerabilities for your business and people? Did you put protections in place to mitigate those risks?

Now that there are signs that we could be getting back to some sort of normality – or at least a new kind of normal – are your procedures, processes, and systems able to flex to cope with what might change? In the UK there’s Brexit to think about too. Although the UK has left the European Union, there was never an intention to roll back from the obligations of GDPR – enacted in the UK as the revised Data Protection Act 2018 – meaning that you still need to assess how you are controlling or processing data. That’s important as you make new alliances, partnerships, or enter into new ventures not just in Europe but anywhere else in the world.

Are you going through a digital / technology transformation which means you do more in the cloud, use software or infrastructure as a service, and deploy more technologies across your supply chains and real estate which weren’t there in 2018? The data processing landscape is always changing which means that the onus is on you to ensure that whatever you’re doing now complies with GDPR. The Regulation is a principle as well as law. It is not limited to the technology and practices as they were in 2018. It’s an approach which applies to any new technology or function which controls, stores, or processes personal data.

It’s also important to keep track of the people who pass through your organisation. Many data breaches can be linked to employees being careless with access credentials (or in some cases, acting maliciously), or former workers taking laptops, tablets, or mobiles with them (corporate or personal) which have personal data of customers or employees stored on them. You need to be sure that you don’t fall victim to a breach because of a poor access controls. Saying you didn’t know they had the data won’t encourage a national regulator to judge you any less harshly.