Put into effect in May 2018, the General Data Protection Regulation (GDPR) shook businesses globally — and the European Union specifically — as organizations scrambled to adequately meet the compliance deadline. Two years later, GDPR has had a ripple effect as global companies with European subsidiaries have been forced to comply or face fines.
As we look to the future of GDPR, it’s clear that the regulation has had a lasting impact on businesses and the pursuit of data protection, however the new rule wasn’t as successfully implemented as many had hoped.
GDPR’s original intention
Designed primarily to offer consumers greater personal data protection and privacy, its secondary goal was to streamline regulations for international businesses by implementing unified protection beginning in Europe. GDPR was set to further position the EU as a worldwide technology leader and carve a path for stringent corporate tax policies. However, GDPR’s implementation was clunky and businesses lacked adequate information about how the change could impact customers.
Strict regulations were established to secure citizens’ personally identifiable information by regulating data transfer outside of Europe. People became empowered to control their digital “paper trails” by requesting a copy of their data being stored by businesses and in some cases requiring businesses to delete it.
The hefty fines for non-compliance posed a nuisance for large organizations, and a potential threat to smaller companies. It also spurred massive hiring waves as businesses everywhere opened new headcount for compliance managers that could oversee the new GDPR regulation and ensure customer data was being managed appropriately to avoid fines.
What GDPR didn’t do
The law was instituted with a clear intention to implement stronger policies for better data protection for individuals. A main element that the GDPR launch lacked was providing a communications team that could effectively support both businesses and consumers through this significant shift in the way companies were tracking and storing personal information.
GDPR fell short in two other areas that had been predicted: it failed to significantly stimulate the European economy, and it did not instill improved trust among end users that their data was safer or more private. Companies began to scramble to figure out how to handle the regulation, and properly verify that data was being handled in accordance with the new law and that it was retrievable if a customer requested a copy, or that it be deleted.
While a privacy clause was added, there was no simple way to track that businesses were actually making changes to give people control of their data. And on the customer side, a new annoyance and additional “click through” requirement was now required – but the customer had no way of knowing if this step was useful for privacy, or what was actually behind the “accept cookies” form that popped up virtually every time a browser was launched.
GDPR impact: Three ways the world has changed
Any major new regulation creates new challenges. There are three important ways that the global business landscape has changed since GDPR was implemented in 2018.
Data privacy and protection are now more important than ever to protect data across businesses, not only in Europe, but throughout the world. Data protection has many layers, but one of the core technologies needed to support it is encryption, which has experienced a spike in demand due to GDPR, and the recent CCPA in the United States. In fact, in a recent study by the Ponemon Institute, 48% of respondents in FY19 said their organizations have an overall encryption plan that is applied consistently across the entire enterprise, as compared to below 30% just 10 years earlier.
Detailed, increased visibility into where and when breaches are occurring is now common. It was reported that European authorities received nearly 65,000 data breach notifications, and more than 200,000 complaints about organizations’ data protection practices in GDPRs first year. Organizations everywhere are adding security measures as an IT requirement to avoid the public spectacle and potential PR nightmare associated with customer data breaches.
With the encryption adoption spike due to increased regulation and heightened concerns about data breaches, encryption key management has emerged as a crucial element in the data protection process. Every application around the world that uses encryption also requires a key manager to be able to manage the process of who should have access to data and policies around that data, to ensure access is only available to those who are responsible for managing the data. Enterprise key manager systems are becoming critical to effectively centralize the creation and management of all the keys and ensure that data remains protected from outside threats, and that the company meets GDPR compliance.
The future of GDPR
While GDPR will certainly evolve over time as organizations continue to work through its kinks, there are several trends that are now here due to the introduction of the law. Companies will continue on the trend of following strict monitoring to ensure compliance is being met to avoid hefty fines. However, more fines will continue despite these efforts, as companies navigate through any changes to GDPR.
Organizations will look for ways to affordably secure personally identifiable information by implementing encryption with key management systems (KMS) across the organization, from the edge, to the datacenter and into the cloud. Finally, organizations will establish better policies that communicate to citizens how their processes allow them to have control of their data including where exactly data is being stored, and guidance on how they can influence managing, protecting and retrieving it.