typing on laptop

The GDPR 5 Years On: Where Are Organisations Still Going Wrong?

Today marks five years since the GDPR came into effect on the 25th of May 2018. Looking back at this landmark piece of legislation, it's easy to see how it has driven a number of large-scale improvements in the ways organisations gather and process data.

In many respects, the GDPR has increased awareness of data privacy for both organisations and the general public. Before the legislation came into force, data privacy was far down on the corporate agenda and most people weren’t aware of their rights as a data subject.

Today, it’s a completely different story. On their own website, the GDPR describes itself as “the toughest privacy and security law in the world”. Whether or not this is true in practice, it has resulted in organisations paying far more attention to their data processing activities and a broader awareness of data privacy amongst the general public. On a broader scale, the GDPR has also encouraged other countries to review or update their data privacy laws. For example, Brazil, China and Several U.S. States, including California, have amended their respective data privacy legislations to align with the standards set out by the GDPR.

However, while approaches to complying with GDPR have matured significantly over the years, there is still significant scope for improvement. In fact, just this week, Meta received the largest GDPR fine to date (€1.2bn) as a result of their EU-US data transfers. Cases such as this highlight that enforcement of the GDPR not only has financial consequences but leads to reputational damage as well. While organisations are far more familiar with the risks than they were five years ago, they can’t afford to become complacent.

To reflect on the impact of the GDPR five years on, and uncover where organisations are still going wrong, we’ve spoken to a number of data privacy experts from across Bridewell to hear their thoughts.

GDPR Gap Analysis

Focusing on People, Process and Technology

Chris Linnell, Principal Data Privacy Consultant

We are increasingly seeing organisations shift their focus from people and process – which are now largely well established after five years – to technology as they seek means to establish a more efficient and effective approach, particularly through use of automation. To meet this demand, the Bridewell team have had to ensure we stay ahead of our curve, training our consultants so they are not only pragmatic and adaptable data protection practitioners but also experts in implementing technology solutions such as OneTrust and Microsoft Information Protection. 

Data Privacy Keeps Organisations on Their Toes

Scott Nicholson, Co-CEO

The initial introduction of GDPR drove large scale improvements within many organisations but whilst some organisations were able to apply the laws effectively and turn it into a business enabler, others organisations either took unnecessary measures, reducing their competitive advantage and others have done the bare minimum.  We often get introduced to clients that have had external support, which has involved ticking a few compliance boxes, often offering dangerous or incorrect advice and adding little value to the client.  Brexit and the legal landscape is keeping many organisations on their toes and equally many organisations are still struggling to operationally embed and measure the value of data privacy operations. Our Data Privacy Maturity Framework (DPMF) has helped to address some of these challenges but equally that requires, strategic buy-in and expertise that enables the business to win in their markets, whilst placing the respect and protection of personal data as a priority.

Entering a New Chapter of GDPR

Emma Leith, Director of Consulting

Thinking back 5 years ago, when GDPR came into force it was a landmark regulation for Europe sending ripple effects globally. The significant scale of potential fines for data breaches was unprecedented which succeeded in propelling data privacy and security into the boardrooms of many industries. It also heralded a new era of organisations putting the customer first and in control of the protection of their own data.

Five years on, we still take pride in helping our clients to realise the value and competitive advantage of visibly protecting their customers data. Partnering with many of our clients from the beginning of GDPR, we get the sense that we are entering a new chapter in its history. Where new technologies such as artificial intelligence combined with increased enforcement are encouraging organisations to continually evolve, rethink and mature their data protection measures. Working with us every step of the way to once again turn the laws into a business enabler.

Imbalanced Approaches to GDPR

Callan Turner, Data Privacy Consultant

I often see organisations with an imbalanced approach to what is and isn’t important from a GDPR compliance perspective. One of the contributing factors to this imbalance is the quality of the training and awareness campaign, the effectiveness of which is reliant on the level of data privacy expertise within the organisation. Creating training programmes tailored to each specific business area will increase an organisation’s overall understanding of GDPR principles and their effective implementation.

Maintaining GDPR Compliance

Aimee Bush, Senior Lead Data Privacy Consultant

One of biggest challenges that I still see organisations struggling with is maintaining their Privacy Programmes. The GDPR brought in a large number of new requirements including Records of Processing Activities, Data Protection Impact Assessments, Legitimate Interests Assessments to name a few. None of these activities are one and done. Organisations need experienced resource and continuous training and awareness campaigns to maintain the changes embedded as part of the GDPR Implementation Programmes.

Looking for support in assessing your compliance against the GDPR? Bridewell’s GDPR Gap Assessment provides data privacy experts to review your current data privacy programme, address areas of non-compliance and align with best practice.