Experts discuss the changes seen since GDPR’s implementation four years ago

Experts discuss the changes seen since GDPR’s implementation four years ago

In 2016, the EU adopted the General Data Protection Regulation (GDPR) – a law introduced to ensure data privacy and protection. Member States were given two years to ensure it was fully implementable in their countries by May 2018. Four years on and organisations are introducing solutions to better manage GDPR requirements and ensure they handle data correctly.

Cyara, provider of the award-winning Automated Customer Experience (CX) Assurance Platform, has announced the launch of a free GDPR compliance testing service for organisations’ chatbots in both English and German. The compliance checker, provided through Botium and informed by GDPR experts, helps organisations understand whether a bot can deal with customer enquiries in a way that satisfies GDPR requirements, reducing the risk of non-compliance and providing enhanced assurance to customers around data governance.

“As chatbots collect information in an informal way, this data isn’t necessarily treated in the same way as more formal datasets,” said Christoph Börner, Senior Director, Digital, at Cyara. “Our free GDPR compliance checker will enable us to understand how a bot treats a user’s data – allowing us to suggest ways to fix GDPR violations – providing additional reassurance to customers and helping free organisations from unnecessary risk.”

Cyara’s GDPR compliance test includes a broad range of questions that a customer may ask about the use of their data to understand whether the bot deals with these enquiries in a compliant way. The test also audits the processes behind the bot – such as where data is stored and who can access it – in order to ensure that these, too, are in line with GDPR regulations.

If any areas of non-compliance are detected, the checker will automatically provide an actionable list of actions for organisations to take to bring the bot into compliance. By easing the process around best practice data governance, Cyara’s approach reduces the risk of fines associated with non-compliance and allows bots to quickly and accurately assist organisations’ customers who want to know how their data is being stored.

We speak to four experts about GDPR and what changes they have seen from its implementation…

Danny Sandwell, Quest’s Data Strategist

When we look at the big picture, GDPR really has become a vital component of global privacy law. It set the standards for others to follow and it brought data privacy and data management into focus for everyone from citizens to enterprises and government institutions. Over the last four years, we shouldn’t underestimate the impact GDPR has had on highlighting the reasons that companies should take data-related issues more seriously and not put them on the backburner or leave them as an after-thought on their journey to being their ‘best-self’.

However, as data protection regulations expand from simply a ‘citizens-rights’ focus, many global organisations now find themselves struggling to manage the convergence of multiple data regulations across different regions and domains. This continues to impede progress on another key goal for their data, leveraging it to optimise growth and improvement. A key element of the latter is expanding the ‘democratisation’ of data and enabling greater self-service for the business in the strategic use of their data. 

The convergence of GDPR and the need for a smarter, more data-driven enterprise has expanded the roles and responsibilities that are impacted by data regulations and created a new requirement for your regulatory response. Compliance has moved from the GRC team in the back room and their IT enablers to any and all data users of all stripes across the enterprise. This has resulted in organisations looking at data regulations more holistically and managing sensitive data in an environment where they can understand the unique requirements, impacts and manage any conflicts that may arise from the different viewpoints and drivers of said regulations. Part of this is increasing the literacy of data users around their responsibilities and providing wider visibility into impacted data. The other part is infusing the same visibility and literacy into the data and IT professional, building new data pipelines and applications so that they are compliant on day one and don’t risk costly missteps and expensive re-work. GDPR has forced organisations to put sensitive data governance and regulatory compliance at the front and centre of their Digital Transformation efforts. 

What’s also changed in four years is that there is a much greater focus on the physical geographical location of data. Thankfully, cloud providers are no longer spinning their heads around in response to many organisations’ specific regional hosting needs. With the various compliance, auditing and breach notification requirements under GDPR better understood, the major cloud providers are equipped to help organisations navigate and advise along the way.

This holistic approach to GDPR compliance will drive further innovation. In continuing efforts to mitigate risk, organisations will demand ‘out of the box’ compliance in the data and services they procure in order to relieve the burden. It will start as a competitive advantage for the innovators on the supply side and then commoditise into the cost of doing business.

Andy Teichholz, Global Industry Strategist, Compliance & Legal, OpenText

As we mark the fourth anniversary of GDPR, organisations are facing a more knowledgeable, confident and powerful world community demanding greater transparency in terms of how their personal data is used and expecting organisations to be held accountable for their behaviour. Last year, not only did we see a significant increase in the number of GDPR fines, but we witnessed the biggest one to date with many of these fines focused on punishing organisations that seem to present ambiguity or lack transparency in processing and communicating decisions with their customers. 

Reputational management – maintaining a happy customer base – is driving boardroom discussions and forcing organisations to identify a new data privacy strategy beyond regulatory compliance risks. Consumers demand integrity and truthfulness regarding how personal data is processed and used. Customers demand control and are not reticent to exercise their rights to delete or request copies of any personal data that has been processed. 

For many organisations, fulfilling such requests is incredibly time-consuming, is often still a manual process and – as many organisations have internal silos – even locating all available data is an undertaking. With a focus on brand reputation and retaining customer loyalty, organisations are looking to innovation and automation to manage these challenges and as a source of competitive advantage. Gaining trust is so dependent on delivering a consistently great customer experience that effective communication of personal data policies, practices and any breaches as well as a streamlined Subject Rights Requests (SRR) management process must be top of mind. Organisations that foster an integrated, data-centric approach to privacy management – leveraging data discovery and classification tools, risk mapping and data management platforms with strong retention capabilities – will be in the best position to execute on these priorities. This will earn individual trust and retain the right of custodianship of customers’ personal data as well as differentiate themselves in the marketplace.

Ricardo Ferreira, EMEA Field CISO at Fortinet

After four years of GDPR implementation, the journey has been bumpy but positive. Launched in 2018, GDPR aims to harmonise how state members deal with data protection, helping citizens understand how their data is being used, and giving them rights over their data.

First, we saw the introduction of specific privacy roles such as the DPO (Data Protection Officer) to ensure the organisation complies with the laws regarding the individual personal data. This was the starting point for making organisations aware of the importance of securing personal data. The fact that organisations now have privacy-by-design mindset, ensuring data is encrypted, PII data is classified and correctly handled, is something that, before the GDPR, was seen as an extra cost.

Secondly, we saw a massive adoption of data lineage solutions, enabling auditing, accountability and allowing organisations to better understand the flow of data through a system. As we increasingly become a data-driven society and organisations consume huge amounts of data, it is imperative to understand how that data was generated, how it was processed and how it is used. As a result, data lineage solutions have grown tremendously over the past four years.

The purpose of GDPR was to provide transparency, compliance but also sanctions. The fines under the GDPR over the last four years have been huge, especially last year reaching millions of dollars targeting some key technology players. The sanctions also served to signal the scope of the GDPR, as there were criticisms of slow investigations, confusing processes and unclear responsible authorities in member states.

One thing is certain, GDPR inspired many regulations around the world based on its model, and the EU will certainly benefit from its experience in its new laws on data, AI and digital services. As for GDPR, although it is slowly maturing, its success will be weighted on how it relates to other countries’ requirements and becomes part of a harmonised privacy regulation across the globe. It is also important to make sure there is an appropriate framework for international data transfer so as not to harm the EU, due to restrictive measures from GDPR interpretation. Especially as data-reliant industries represent almost half of the European economy and the trend is for data-reliant industries to grow.

While there was a learning curve behind GDPR, we can now appreciate the positive and impactful aspects that it brought us.

Nick Vigier, CISO, Talend

GDPR came on the scene with the same fanfare and confusion as the Y2K bug in 1999. Organisations scrambled to understand the legislation, anticipated the punitive actions that could be taken against them and hired privacy teams to manage privacy risk. As with any highly anticipated or feared product, it seems to have followed a technology ‘hype cycle’ of sorts; some elements have faded into the background while the principles of it have remained front and centre and have been the basis for local copycats around the world. All the while, organisations have struggled to stay on top of their obligations to GDPR and other privacy regulations while also being faced Big Data complexities laden with Personally Identifiable Information.

GDPR introduced the notion that a person’s PII, or any data that can be used to individually identify a person, is considered protected information. It also brought with it a right to be forgotten/deleted from those data stores. Other countries and regions have then modeled their policies after GDPR with their own special twists, like California’s CCPA. This has left organisations playing a game of privacy whack-a-mole in an attempt to manage their own legal risk as well as delivery the desired privacy to their users.

GDPR and derivative policies have then gone through hype cycle of announcement, pre-enforcement, activation, surge in enforcement, followed by a long tail of compliance. CCPA was another great example where lawyers were collecting the names of California residents whom they could use to file class action lawsuits when the law went into effect. We also saw several GDPR enforcement actions brought against high profile organisations in an attempt to drum up the value GDPR was bringing. 

While the regulations did introduce more intentionality and conversation around privacy, as well as privacy-related certifications like ISO 27701, it also led to consumer confusion. Consumers in a rush to protect themselves filed requests to know what data an entity had on them and then demand deletion.  These deletion requests often brought with it an undesirable termination of the user’s service since the information was needed to provide service. This confusion along with the load on organisations has led to a significant amount of churn in the industry to maintain compliance.

As a CISO, GDPR has brought the issue of privacy to the front of the conversation whether dealing with log collection for security monitoring or product development. The language has become common place in the C-suite that has not existed before, nor brought it with it the gravitas it deserved. I hope that the next four years shows a harmonisation amongst the policies around the world to introduce a global language for privacy and to set expectations uniformly to deliver value to customers and consistency to the policies and products being developed by organisations.

Dave Horton, VP of Solutions Engineering, Odaseva

There’s been a lot of turbulence with data privacy obligations in the past four years. Post-Brexit, there was much debate about whether the UK would have the equivalent status it had, when part of the EU, with regards to GDPR. For a period, the terms of deal/no deal Brexit meant that there was a risk of the UK being digitally isolated from Europe. Currently, the UK has Adequacy status until June 2025 and the EU Commission will need to decide whether to extend this a further four years. 

In the mix of all of this, we also see invalidation issues with the EU/US Privacy Shield, which regulates how EU data crosses borders to the US. 

Everything is in flux. It’s a further complication that each US state is bringing in its own data privacy laws, with California leading the way. For many organisations the goal would be to have a US Federal Law, instead of managing 50 different laws. That would make it easier for companies to respect consumer rights. 

Pre-GDPR, data hygiene practices were often very poor. For example, some large organisations had never deleted any data from CRM or other systems. Then GDPR came along and Article 5 regulates that you keep data ‘no longer than is necessary’. 

‘Is this data still necessary?’ – that’s quite an ambiguous question to answer. Today, companies are a lot more careful about the purpose for which they store data. Building customer trust is a differentiator. Four years ago, the motivation for companies to improve their data hygiene practices was mainly to avoid the risk of enforcement action from regulators. However, now that privacy is better understood by individuals, having high standards is not through fear of regulatory fines, but to avoid any negative impact on their brand’s reputation.

Whether your company is in the UK and/or EU, being compliant with UK GDPR or EU GDPR is important – because fundamentally, the two are very similar. Mapping out the data processes and understanding what data they store on their consumers and data subjects are key. Many companies need to review existing contracts, in particular ones that pre-date GDPR and Brexit, and ensure they include clauses for data privacy complaints, for example. 

Companies need to use technology solutions to consider their data life cycle; there needs to be a plan around how data enters and leaves the company. In the context of technology solutions, having an easy-to-manage process while still maintaining consumer rights is key. Having a scalable process for storing CRM data – ensuring the right to be forgotten and the right of access – are critical. 

Click below to share this article

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive