The General Data Protection Regulation (GDPR) turns five on May 25th, so we took the opportunity to ask a range of experts for their perspectives on how the regulation has changed businesses and what developments we can expect in the future.
Ben Kartzman, COO at Mediaocean:
“GDPR regulation has long been criticised for being weak and lacking in enforcement. But with new bills passing through parliament and movements towards tightening regulation, companies will have stricter standards and guidelines to adhere to. We’re on the cusp of a new era of technology and businesses and regulators have the difficult task of striking the right balance between privacy and innovation, working towards a middle ground that allows both to exist in harmony.
‘Digital transformation’ has been the buzzword of the decade, but it’s played out, long out of touch with business needs and – crucially – inevitable market changes. With new technologies such as ChatGPT emerging and presenting fresh privacy challenges, this will only intensify further. Instead of undertaking a business overhaul, organisations should take a more iterative approach: ‘digital acceleration’. Digital acceleration allows for more agile delivery that doesn’t undermine longer-term strategic thinking or changes to regulatory frameworks, like what we’re seeing now. Applied to GDPR, digital acceleration allows leaders to safeguard their organisations while allowing them to innovate with more flexibility – a key challenge when looking at mitigating risk and ensuring compliance. As people become more aware of their data than ever, businesses have a responsibility to their customers, employees and other stakeholders to make decisions with privacy front of mind. Failure to prioritise is not only a compliance and financial risk, but a significant reputational one, too.
While there are some natural privacy concerns around advancements in technology such as AI, we’re actually seeing these innovations being used as part of the solution. AI is increasingly becoming a crucial pillar of many organisations’ data strategies due to its ability to manage and protect data with accuracy whilst reducing human error.”
Andy Teichholz, Global Strategist, Compliance & Legal at OpenText:
After half a decade of GDPR, businesses are facing a different world when it comes to managing personal data. One of the biggest topics in many industries right now is the growing demand for transparency and accountability from a more knowledgeable consumer base.
While fines can be staggering (we are approaching a little more than 1,600 individual fines totaling almost three billion euros for GDPR violations), reputational management and competitive differentiation are still driving boardroom conversations and informing the investments they make in terms of data management technology.
Technology is advancing and there are powerful options to improve data compliance and transparency. Tools like AI and machine learning can help companies assess, categorize, manage and protect all data appropriately throughout its lifecycle. Also, while subject rights requests, especially Data Subject Access Request (DSARs), are becoming more commonplace, many organizational fulfillment activities today still rely on manual processes that overwhelm their already constrained resources. To meet mandated deadlines, teams are leveraging information retrieval technologies including eDiscovery tools (with their advanced analytics, review, redaction, and production capabilities) to automate and accelerate the fulfillment process – especially for high effort requests.
With technology innovation, a much stronger data privacy strategy can help operationalize key privacy processes, guard against GDPR breach and build more trusting customer relationships. At a time when customer trust in businesses is fragile, we should use the anniversary of GDPR to reflect on how we can build better, more integrated data management strategies for the next half decade and beyond.
Helena Nimmo, CIO at Endava:
“GDPR regulation has long been criticised for being weak and lacking in enforcement. But with new bills passing through parliament and movements towards tightening regulation, companies will have stricter standards and guidelines to adhere to. We’re on the cusp of a new era of technology and businesses and regulators have the difficult task of striking the right balance between privacy and innovation, working towards a middle ground that allows both to exist in harmony.
‘Digital transformation’ has been the buzzword of the decade, but it’s played out, long out of touch with business needs and – crucially – inevitable market changes. With new technologies such as ChatGPT emerging and presenting fresh privacy challenges, this will only intensify further. Instead of undertaking a business overhaul, organisations should take a more iterative approach: ‘digital acceleration’. Digital acceleration allows for more agile delivery that doesn’t undermine longer-term strategic thinking or changes to regulatory frameworks, like what we’re seeing now. Applied to GDPR, digital acceleration allows leaders to safeguard their organisations while allowing them to innovate with more flexibility – a key challenge when looking at mitigating risk and ensuring compliance. As people become more aware of their data than ever, businesses have a responsibility to their customers, employees and other stakeholders to make decisions with privacy front of mind. Failure to prioritise is not only a compliance and financial risk, but a significant reputational one, too.
While there are some natural privacy concerns around advancements in technology such as AI, we’re actually seeing these innovations being used as part of the solution. AI is increasingly becoming a crucial pillar of many organisations’ data strategies due to its ability to manage and protect data with accuracy whilst reducing human error.”
Damien Brophy, Senior Vice President EMEA at ThoughtSpot:
Since coming into force five years ago, the GDPR framework has sought to give people and businesses security and protection. The reality has been a state of flux with little enforcement of the regulation, the long-standing business challenge of how to effectively tap into the power of data whilst remaining compliant and global friction with data laws and standards so different across the world.
Businesses now have the added layer of complexity with The Data Protection and Digital Information Bill currently passing through parliament, which is an update to UK GDPR. While sentiment around the new bill is mixed, business leaders need to see this impending change as a positive move in allowing the UK to become a true playground for innovation. This is due to the changes in the barriers to entry for data use and data manipulation lowering, giving businesses the opportunity to engage with their data more freely and use it to inform growth.
What is crucial now is that businesses start considering the challenges this will bring in terms of driving innovation, lowering the barriers to data entry but still protecting people’s data. There will be a balance required in governance and agility. And leaders also need to push the UK Government to pass this new bill through parliament quicker as to date, progress has been slow and this will soon start impacting the true business innovation that can be taking place in the country.
Charles Southwood, Regional VP and GM – Northern Europe and Africa at Denodo:
‘The fifth anniversary of GDPR provides us with an opportunity to reflect on how far we’ve come when it comes to protecting personal data. However, the reality is that, in many cases, there is still much to be done.
‘Despite the stringent data policies, strict record keeping and time limits on how long data can be stored that GDPR brought into force, we continue to see many organisations struggle to ensure the simple and transparent management of personal data. One of the main hurdles they face is that data is usually distributed in different and separated repositories throughout an organisation; different locations, different formats & protocols and different permissions.
‘With The Data Protection and Digital Information Bill – an update to the UK GDPR – currently passing through parliament, many organisations will seek out modern technologies to get a handle on data privacy. One such technology is data virtualization. In the context of GDPR, a key feature of data virtualization is that no data is moved and copied. This avoids multiple copies being created, where security can be an issue and where the original context and permissions of the data capture, can be lost. Likewise, by providing easy and complete access to all repositories, through a single information layer, data virtualisation ensures that data can be traced and audited in real-time, no matter where it is stored, and without the need for duplication. It facilitates compliance with current legislation whilst enabling organisations to protect their data.’
