GDPR three years on – what does the future look like?

by | Jun 1, 2021

Ezat Dayeh, Senior Systems Engineering Manager, Western Europe at Cohesity

The rise of data breaches and tightening privacy regulations have exposed vulnerabilities, inadequacies, and gaps within many IT teams and infrastructure. Now, three years after GDPR’s advent, organisations are still struggling to meet the regulation’s requirements.

As we hit Europe’s General Data Protection Regulation anniversary. What’s actually changed and what does the future look like?

Before GDPR came into force in May 2018, there was a fear that it was the end of days for marketing lead sourcing, and if you had a security breach, you were likely to get the book thrown at you, and no firm would escape fines. Estimates for GDPR fines were predicted to be 79 times higher than those issued under the previous data protection regime. Another forecast said banks could be fined €4.7bn (£4.15bn) in the coming years.

For consumers, the right to be forgotten or ‘erased’ was touted and power, it seemed, might return to the people. As May 2018 approached, so came the deluge of emails from sites we’d used once ten years ago to buy a random present for a loved one, asking us to update our preferences, or risk never hearing from them again. It was chaotic as businesses struggled to grasp what they had to do to be compliant. Parallels were drawn recently as CEOs of businesses large and small offered their views and sympathies around CVD-19.

But, it wasn’t just your inbox that fell victim to GDPR before May 2018, a number of smart device companies updated their terms of use, and a mix of smart thermostats, smart doors and other smart appliances stopped being… smart. And, still to this day many US news websites ban access to users from within the EU.

With many multinational technology firms using Ireland as the HQ for its European operations, it falls on the Irish data protection commissioner (DPC), to lead investigations for all of Europe. This is because of a GDPR rule known as the ‘one-stop-shop’ which states companies should face enforcement where they’re headquartered. The snag here being that the Irish DPC office isn’t particularly well-funded and the workload is high.

According to research published by law firm DLA Piper, since GDPR was implemented in May 2018, there have been 160,000 data breaches reported. And the rate of breach notification has increased by over 12 percent in the past twelve months.

Last May the European Data Protection Board reported that nations had examined 206,326 cases under the law. The Irish DPC had investigations open into at least 17 multinational firms at that point.

Regulators have already moved against big tech companies and others who have failed to properly protect consumer data, but the fines haven’t been forthcoming, aside from where local authorities have demanded payments. The answer in our view is increased partnership with member states and better cooperation with, ironically, sharing sensitive data. Germany has a networked set of regional authorities to support data protection, and similarly The ICO in the UK, and CNIL in France are incredibly active and resourceful operations. While we do not believe large bounty fines should be chased without due diligence, if the big cases cannot be investigated and brought to face the consequences, you lose the adherence of smaller companies.

In reality, GDPR wasn’t just about greater protection and rights to individual’s data. It was a wake up call for businesses across the world with European customers to shape up their practices around gathering amounts of information about individuals. It was a call to get your house in order, and be ready for the next stage of digital innovation.

The EU globally has a significant weight and credibility, and the General Data Protection Regulation and the ePrivacy Directive are the closest thing businesses have to a ‘How to’ manual to navigate the current part of the information economy. And, in an age of coronavirus, as governments globally debate how to end the lockdown and stop secondary waves of infection, this belief in the EU is being tested like no other.

As we approach the Regulation’s second birthday, the news is rife with data privacy headlines. Governments are testing and deploying tracing apps to track infection spread and better understand coronavirus.  Any use of data must be proportionate and fall away once the crisis has passed. The question is, what is more important to us? Data privacy or saving lives?

Though Europe’s laws are strict, exemptions for public-health crises are written into EU data protection rules. Any use of data must be proportionate and fall away once the crisis has passed.

It’s not an easy question for governments to get right and is fueling an abundance of debate. Justifiably so.

Data Privacy in 2021 and beyond: A juggling act

GDPR has undoubtedly introduced big changes for some businesses, and incremental changes for others, without being prescriptive on how it should be achieved. It is, without doubt, a step forward on previous data protection principles, but it isn’t the end game. A plaster for a brain aneurysm.

Recent events are highlighting that there will be more trade-offs to come. Just as individuals traded privacy to access a social network for free, individuals will now be keen to trade a lockdown at home for some level of personal privacy, to allow a level of normality to be achieved once more.

The future of GDPR in its current guise hinges on the DPC of Ireland being able to process notifications and build investigations to take firms to task that break compliance of the regulation for commercial gain. It is widely understood that a fine is a more effective deterrent when framed retributively and in the public domain. If this isn’t being done, what is really driving the need to comply?

For good reason, the Regulation avoided technology mandates, and the guidelines should keep this flexibility and open up potential paths to future digital innovation. We believe that greater collective efforts by the technology industry can help minimise data, reduce fragmentation and standardise reporting for businesses, to enable them to not just demonstrate adherence to the Regulation, but complicit respect for personal data privacy.

Get Our Briefing Newsletter

* indicates required