Five years on: the legacy of GDPR

A smiling woman with long hair and hoop earrings.
Five years on: the legacy of GDPR

Online banking. Netflix. Even car parking. Technology is an all-encompassing, unavoidable part of everyday life. We share our personal data with innumerable organisations on a daily basis. In fact, a 2022 ESG study on the strategic and evolving role of data governance found that on average approximately 35% of an organisation’s total data contains Personally Identifiable Information (PII) or other sensitive data, stored across all areas of an organisation’s IT infrastructure. And with ransomware and data breaches skyrocketing, the need to protect that data, and the necessity for data privacy regulations are clear.

Even so, the introduction of the European Union’s General Data Protection Regulation (GDPR) in 2018, with its strict rules and hefty fines, sent shockwaves through the business world. Five years after it came into force, we talked to a panel of experts about the impact of GDPR, whether it can be considered a success, and what is next in the world of compliance.

The Brussels effect

GDPR has been referred to as a prime example of the Brussels effect, where EU laws influence regulation beyond European borders. Impacting any organisation in any part of the world that deals with European individuals, GDPR transformed the global data privacy landscape, as many of our experts point out. Sergei Serdyuk, VP of product management at backup and ransomware recovery software vendor NAKIVO, highlights that it has “spurred global discussions around data protection and privacy, leading to more robust data protection measures and increasing the focus on transparency and accountability.” David Norfolk, practice leader for development and governance at market research firm Bloor, describes GDPR as a model for other global regulations, saying “EU GDPR has been a strong catalyst for data protection elsewhere in the world.”

Mikkel Oxfeldt, general counsel, attorney-at-law at cloud data protection and management provider Keepit, agrees that GDPR has pushed data privacy conversations to the forefront globally. Five years on, “the European regulation has inspired data protection around the world and many countries have put privacy standards in place. These include countries in South America such as Argentina, Brazil, and Chile, and in Asia, such as Japan and South Korea. In Australia, the Privacy Act has been in place since 1988, but was recently amended to mirror GDPR concepts. GDPR has also had a strong influence in the US where several states introduced data protection legislation, including California with the California Consumer Privacy Act, and Colorado with the Colorado Consumer Protection Act. On a federal level, the draft American Data Privacy and Protection Act is another example of where regulation is heading.”

So what impact has it had on how organisations are run and data is handled? Aditya Fotedar, CIO at Tintri, a provider of auto adaptive, workload intelligent platforms, explains that while GDPR has ushered in significant changes, they are built upon existing regulations: “GDPR was a progression on the existing EU privacy laws, main changes being the sub processor contractual clauses, right to forget, and size of the fines. That being said – we had to review internal procedures and ensure DPAs [Data Processing Agreements] were signed with all our vendors and service providers and ensure compliance. Most of the data centre products deployed already had the capability to handle the pieces required to get compliant. We had to ensure that adequate procedures were in place around these to ensure compliance.”

Baselines to table stakes

When it comes to purchasing and deploying new technology in the data centre, the introduction of GDPR has moved compliance and security up the pecking order. Paul Speciale, CMO at software-defined storage and data management organisation Scality, points out that “GDPR has made some capabilities that were previously considered ‘baselines’ as mandatory ‘table stakes’ now in data storage.” In other words, they are seen as the minimum requirement. In particular, “businesses now more carefully evaluate the following capabilities when making purchase decisions: data encryption, data minimisation, strong access controls, real time monitoring and alerting, and data retention policies. We base this observation on empirical data, since the requirements for these capabilities have become much more prevalent in customer RFPs in the enterprise and in the public sector.” 

Bruce Kornfeld, chief marketing and product officer at edge data company StorMagic agrees: “StorMagic has seen a significant uptick in end user customers choosing to encrypt all data at rest. This brings with it some other complications – like the need to manage all the encryption keys; there’s been growth in enterprise key management software due to this.”

Finally, Oxfeldt suggests that GDPR has influenced the choice of third party providers. Under GDPR, companies are responsible for the data they share with third parties. He explains:“Businesses that collect personal data are liable for privacy violations by third parties and should ensure that the vendors processing that data are GDPR compliant. Therefore, companies may prefer to contract with large technology providers as they are better positioned to fulfil GDPR legal requirements, which could, potentially, give big tech companies an advantage over smaller businesses.”

The cost of compliance

Gartner predicts that, on average, a large organisation’s annual budget for privacy will exceed $2.5 million by 2024. We asked our experts why and how data privacy requirements have impacted IT budgets. Serdyuk explains that the impact depends on the organisation’s level of readiness for compliance, with GDPR creating new IT-related expenses, notably updating the data protection inventory. “On top of that, organisations are required to invest more in data management and protection solutions, privacy technologies, and compliance personnel.”

Tsvetomira Godinova, senior compliance specialist at cyber protection vendor Acronis, points to the demands on internal resources: “Quite often organisations don’t have an internal capacity to align all business processes and should invest in external consultancy. Fast-paced regulatory developments necessitate constant monitoring.”

Kornfeld highlights that GDPR has negatively impacted service providers’ ability to find new customers since many choose not to accept the use of cookies and/or privacy agreements that allow marketing targeting. Serdyuk adds that it “can have undesirable effects on customer experience. One example is the GDPR consent form, which is meant to be advantageous for users but still feels annoying.”

However, the additional cost is balanced by improved security, improved processes, and data quality. Norfolk points out that “GDPR compliance is a cost, but it also encourages people to think about data, which encourages quality – a benefit.” According to Oxfeldt, GDPR is undoubtedly worth the cost: “Aside from a fear of incurring fines, there are other reasons why GDPR compliance is a good investment, including mitigating the impact of data breaches and generating and maintaining customer trust. Saying that, there’s no question that another important motivation to increase IT budgets is the fear that non-compliance with GDPR will lead to hefty fines, loss of customers, loss of revenue or reputational damage.”

The verdict

In 2020, two years after GDPR came into effect, an EU progress report described its implementation as a success. The regulation has been criticised by watchdogs, experts, and activists notably for its ability to tackle major BigTech cases. This year, the European Commission will propose a new law to further specify procedural rules around GDPR enforcement in cross-border cases. Five years and 1,640 fines totalling € 2,781,943,873 later, we asked our experts to cast their votes: in their opinions, was GDPR a success, a failure, or something in between?

Did GDPR meet its established goals? Godinova explains, “The GDPR preamble provides the main purposes for the adoption of the act, and it stresses the right to the protection of personal data as one of the fundamental human rights. Also, the regulation should contribute to the accomplishment of an area of freedom, security, and justice and of an economic union; to economic and social progress; to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.”

“We can say that GDPR did more or less manage to achieve its first goal,” Godinova continues. “The introduction of the regulation led to increased awareness about privacy as a human right. GDPR’s wide territorial applicability, as well as the fierce fines foreseen, toned up the public debate about data protection. The connection between the second main goal and GDPR is less visible. We can’t necessarily say that the regulation had a significant impact on accomplishing an area of freedom, security, and justice and of an economic union.”

Bryan Betts, principal analyst at  Freeform Dynamics, IT research and analysis company expands: “More success than failure but yes, in-between. Success because it’s greatly raised the profile and awareness of data privacy, with few organisations unaware of the issues now. And its general more-success-than-failure status is shown by how many jurisdictions around the world have subsequently adopted similar regulations.”

Serdyuk states: “GDPR has tackled a long-standing problem. For that alone, GDPR can be considered a success. However, when you are a trailblazer, you should expect some stumbling blocks along the way.”

One of these stumbling blocks is complexity. Godinova describes the introduction of GDPR as a “painful process” for both the private and public sectors, explaining that “on the enforcement level, some local supervisory authorities needed time to develop the required expertise. Some are unfortunately still operating with few resources.”

According to ESG, “complexity of regulations to follow” was the second most frequently cited challenge that organisations face when implementing and managing data governance initiatives. Over a third (36%) of respondents cited this as a challenge. “Excessive amount of data to manage, limits data intelligence capabilities” was the most frequently cited challenge (37%). Other significant hurdles included “too many different data governance applications/technologies to manage” (35%), and the “lack of unified data governance solutions” (30%). The “number of regulations to follow” was a challenge for 27% of respondents.

Speciale says “the biggest challenge is in truly understanding the rules about what PII can be retained and what cannot. In our own business we started out being overly conservative by actually purging lots of data about sales prospects that we were not sure were ‘opt in’. Now, as we understand the rules better there is more clarity that we can store PII for prospective customers that are deemed to have a ‘legitimate interest’ in our solutions.”

Betts adds that “there’s quite a lot of misunderstanding and misinterpretation, with organisations using data privacy as their excuse for awkward and non-transparent ‘security’ and consent processes.”

There are bigger challenges however, as Randy Kerns, senior strategist and analyst at IT analyst firm Evaluator Group, points out: “From a regulation standpoint, yes this has forced a change but that turned out to be less impactful than first thought. From an individual standpoint, I don’t think they see much difference. I believe individuals see that their data privacy is a bigger issue with exfiltration in cyber-attacks.”

What is next?

Our experts agree it is inevitable that data privacy regulations will continue to become standardised across the globe. Oxfeldt says: “As the number of privacy regulations will continue to grow across the globe, Gartner has predicted that by the end of 2024 the majority of the world’s population will have its personal data covered by privacy regulations.”

And this growth in regulation will lead to more innovation and creativity. According to Kornfeld, “StorMagic doesn’t see this trend slowing down. The change that we’ll see is that innovation will kick in and there will be more and more marketing companies finding new ways to target users, while still complying with GDPR and other similar data privacy regulations.”

Godinova agrees, saying that end users are expecting “more secure and privacy-friendly processing from the organisations. These elevated expectations are impelling the more mature companies to re-think GDPR and similar data protection obligations. The implementation of the requirements can be seen not just as a compliance burden but as a means for competitive business advantage based on building trust towards one’s customers.”

ESG’s senior analyst Christophe Bertrand points to the opportunities for data management companies: “I expect to see more intelligent data management capabilities across traditional data protection vendors, where they become a key component of the compliance apparatus.”

For Kerns, security must be today’s priority: “GDPR has been dealt with and is not an ongoing concern for IT. Cyber-attacks with protection of data is the more pressing issue.” Speciale agrees “Data security remains the top priority for our customers and on our own product roadmap for the foreseeable future (especially as the ransomware/malware threat persists).” Curtis Anderson, software architect at Panasas, a provider of data solutions for high-performance and AI applications, summarises: “In essence, GDPR sets consequences for bad behaviour by otherwise law-abiding online organisations, while for data theft and espionage we need ways to actually prevent bad behaviour by law-breaking organisations.”

But, whether or not GDPR has been dealt with, it is clear that it has changed the conversation around data privacy and had a far-reaching and long-lasting impact. Let’s leave the final word to Tintri’s Fotedar: “The paradox of privacy continues –  we want to share our data but do not want you to process it.”