One year with GDPR: Greater data hygiene and security, higher bureaucracy, and more uncertainty
In GDPR’s first year in practice, the regulation has introduced greater data hygiene into enterprises. Organisations have been forced to take a more proactive approach to protecting and managing the data of European citizens, and individuals have benefited as a result of these efforts. To guarantee data privacy, organisations must have insight into the various data pools, often kept in different departments within an organisation, and they must determine whether permission to use personally identifiable information (PII) has been obtained. Only on a unified data basis—called data dictionary or data repository—are IT departments able to check whether the permission to use the data has been obtained.
The two-year lead time to interpret GDPR requirements within companies was, in many cases, not long enough. After all, GDPR represented significant changes to regulations that had been in place for 20 years—regulations that were never designed for today’s digital age. In addition, organisations had to overcome a lack of expertise, leaving many facing a last-minute frenzy of activity to come into compliance.
In many cases, companies overreacted and deleted entire data pools that did not meet the requirement of double opt-in consent, often due to a lack of understanding of how to treat the data pools correctly. This uncertainty led to huge waves of last-minute consent-collection initiatives to gain contacts’ permissions. However, in the majority of cases, they did not have the desired effect and databases were, therefore, reduced considerably. Companies wound up spending much of the first year under GDPR heightening security and data privacy standards, as well as overcoming the effects of reduced databases.
Furthermore, companies had to put technology in place to help them control and protect digital assets. They also had to reconcile the disjointed conversations between departments to produce the shared insight necessary to update an organisation’s security posture. These basic discussions were essential to modernise the infrastructure and meet the state-of-the-art security requirements.
Processes should now be in place to not only guarantee data protection but also to manage data more effectively, as companies have gained a better understanding of where to store PII and who has access to this data. Documentation on the IT infrastructure and the measurements taken to remain compliant should also be in place by now. Campaigns to brief staff on the requirements of the regulation led to a better understanding of measurements and protection goals so that they are able to run data collection efforts now on the basis of privacy by design—a key element of GDPR. All these measurements are essential for compliance with the reporting requirements in the case of data loss and, at the same time, they help companies increase their data hygiene.
However, while GDPR has introduced greater data protection, it has also increased bureaucracy. A host of templates and forms have emerged to keep track of implemented processes to help organisations demonstrate compliance. Templates that were used to prove compliance for the whole supply chain of data management and processing led to uncountable interactions and paperwork between all involved parties. So far, there is no standardisation in place to simplify these processes with unified templates, which means uncertainty is here to stay. Pending certification, processes based on article 42 of GDPR will introduce a voluntary process to assist in demonstrating compliance—so the work is not yet done.
Uncertainty regarding whether organisations are compliant or not—despite these efforts—will remain as GDPR in its infancy leaves room for interpretation. The first fines imposed by CNIL in France and the ICO in the UK against such giants as Google and Facebook demonstrate that data privacy is now being taken seriously, especially if companies fail to comply with the transparency rules. This is a clear statement of intent from some of the monitoring organisations. However, comprehensive and standardised review processes are not yet in place around the world.
In the end, the individual user is definitely the winner. Individual rights have been strengthened and users and consumers profit from more transparency. Enterprises have gained more insight into their processes and data pools and have brought structures into their data collection and management habits. However, they still struggle with uncertainty due to the huge pile of newly implemented requirements.
Learn how Zscaler can support your GDPR compliance efforts.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rainer Rehm is the Zscaler Data Privacy Officer, EMEA