Industry experts comment on GDPR five years on

Industry experts comment on GDPR five years on

It’s been five years since the General Data Protection Regulation (GDPR) came into play as a means of keeping track of how people and organisations handle data – and that they do so securely. Industry experts have their say on how this has impacted the industry so far and how things will take shape moving forward.

Damien Brophy, Senior Vice President EMEA at ThoughtSpot:

“Since coming into force five years ago, the GDPR framework has sought to give people and businesses security and protection. The reality has been a state of flux with little enforcement of the regulation, the long-standing business challenge of how to effectively tap into the power of data whilst remaining compliant with data laws and standards so different across the world.

“Businesses now have the added layer of complexity with The Data Protection and Digital Information Bill currently passing through parliament, which is an update to UK GDPR. While sentiment around the new bill is mixed, business leaders need to see this impending change as a positive move in allowing the UK to become a true playground for innovation. This is due to the changes in the barriers to entry for data use and data manipulation lowering, giving businesses the opportunity to engage with their data more freely and use it to inform growth.

“What is crucial now is that businesses start considering the challenges this will bring in terms of driving innovation, lowering the barriers to data entry but still protecting people’s data. There will be a balance required in governance and agility. And leaders also need to push the UK Government to pass this new bill through parliament quicker because to date, progress has been slow and this will soon start impacting the true business innovation that can be taking place in the country.”

George Gerchow, IANS Faculty and CSO and SVP of IT at Sumo Logic:

“The General Data Protection Regulation (GDPR) is an evolving regulation and there are several developments expected in the coming years.

Emerging Technologies – As new technologies such as Artificial Intelligence and the Internet-of-Things become more prevalent, there will be a need to assess their impact on data protection and privacy. The European Data Protection Board (EDPB) is expected to provide guidance on the application of GDPR to these technologies.

ePrivacy Regulation – The European Union is also working on a new ePrivacy Regulation, which will complement GDPR by providing specific rules on the use of electronic communications data. The regulation is expected to be finalised and adopted in the near future.

“Overall, GDPR is likely to continue to evolve and adapt to new challenges in the coming years, with a focus on protecting individuals’ privacy and personal data in an increasingly data-driven world.”

Larry Whiteside Jr., CISO of RegScale: 

“Reflecting on another year of GDPR reminds me that the mere existence of this regulation has been a global game-changer. From California Consumer Privacy Act of 2018 (CCPA) to the Personal Information Protection and Electronic Documents Act (PIPEDA), GDPR has been driving the notion of data privacy across the globe. To me, it’s a good example of what potential global policy could look like. Looking back at 2021, though the fines were not the highest we’ve seen, there were still some very hefty fines levied in 2022 with Meta and Clearview being the two organisations hit the hardest.

“There are also two additional things being worked in the background to enable GDPR to keep up with the new threats to data privacy and reduce some of the current complexity that exist in its current state.

“There is currently a Data Protection and Digital Information Bill, which had its first reading in May 2022, that seems to be stuck. This new bill seeks to simplify GDPR and make it more agile to adapt to the needs of organisations trying to create data privacy policies and architectures that enable them to meet the specific controls of GDPR.

“Additionally, in an effort to combat the risks being introduced due to the AI phenomenon, there is work that is being looked at to identify the intersection between the Artificial Intelligence Act (AI Act) and GDPR. The outcome could be very interesting in how organisations meet GDPR as it relates to privacy data and Artificial Intelligence.

“As we look forward, we should pay close attention to the EU-US Data Privacy Framework and the impact it will have on transmitting data into and out of the EU. This will make transferring data between countries a lot easier and potentially more clear as it relates to GDPR and the related controls.”

Paul Trulove, CEO of SecureAuth: 

“Consumer privacy has been a huge concern since the dawn of the Internet. Aside from the obvious security concerns, people started to realise that their personal information was a commodity that was being monetised and exploited by large corporations (sometimes of dubious integrity). GDPR was the first truly wide-reaching attempt to codify and enforce consumers’ (and employees’) rights to privacy.

“When it launched, most companies were scratching their heads about how to comply – or even if they needed to comply. GDPR was seen as a significant barrier to doing business in the European Union, the UK and other geographies that had adopted GDPR-style legislation.

“However, over the last few years, GDPR has become a standard – and has changed the way companies talk about privacy. Impacting everything from policy and legal considerations to product design to operational processes. Thanks to GDPR, consumer and employee privacy protections have been normalised throughout the global corporate world.

“Two-Factor Authentication is not required but preferred for accessing systems that process personal data, per the guideline issued by ENISA — the European Union Agency for Network and Information Security — which advises member states and private sector organisations in implementing EU legislation. However, given the current state of Multi-Factor Authentication which can be easily breached, we highly recommend that the organisation should leapfrog and move towards a tighter authentication with invisible MFA and eliminate passwords.”

Alastair Parr, SVP of Global Products & Delivery, Prevalent Inc.:

“As it celebrates its fifth year driving positive change, GDPR continues to impact the practice of third-party management with its treatment of privacy as a core requirement. To this end, privacy teams are operating in lockstep with procurement and information security teams, ensuring that GDPR obligations are specified and tracked throughout the third-party life cycle. Accordingly, we expect businesses to become better at tracking non-conformities within their extended enterprises.

“As well, we see that organisations are beginning to see data privacy obligations as a global expectation, not just a requirement of their EU operations. For example, CCPA, the DPA 2018 and PIPEDA all bear a strong similarity to GDPR, reinforcing the perception that it set the precedent for what good data protection practice looks like for consumers and businesses alike.”

Browse our latest issue

Intelligent CISO

View Magazine Archive