GDPR recently turned four years old, so we took this opportunity to raise a glass to our favourite data protection law with an insightful webinar looking at its past, present, and future. We had a spirited talk on the many successes, shortcomings, and prospects for GDPR as it moves out of toddlerhood.
A special thanks to our panellists, Pantelis Angelides, Head of Cybersecurity & Operational Resilience Advisory for Complyport, and Nadine Ghosn Eid, Director of Compliance & Regulatory Affairs at areeba and Founder of BeyondComply, for sharing their knowledge with our community.
If you missed the webinar, the event’s full transcript is now available to members, so feel free to check it out below or join our growing GRC community.
For now, here are some of the event’s main highlights!
What have been some of the major wins for GDPR during the last four years?
Pantelis Angelides: “In retrospect, seeing how GDPR evolved these four years, we have seen that it promoted a sense of accountability for data processed by companies. I worked with many companies in the past and I noticed that they had this sense of ownership of people’s data. Since 2018, this shifted and, of course, they felt more accountable about the people, their employees, or customers’ personal data. This increased obviously the sensitivity of organizations and individuals around personal data.”
“We have seen a lot of things in social media and people arguing about their personal data and human rights because before 2018 and GDPR nobody cared about these two particular rights—privacy and data protection under the EU Charter of Human Rights. So we have seen a lot of pressure on promoting these human rights, it helped to force organizations to make security upgrades and this is very important because we have seen that, since 2016, cybersecurity has become a hot topic. It was not mandatory in the past, it was only picked up by large banks and financial institutions, and cybersecurity and information security was not so hard as it is today.”
“So GDPR, I think, boosted a lot these security upgrades and a lot of other regulations. Many other regulations that followed GDPR, especially in the financial sector, followed the exact model of GDPR, talking about risk-based approach, mentioning security, referring to guidelines about operational resilience, etc. So we have seen a trend that all new regulations are following the model of GDPR, so it made a lot of good. And I think in the near future we expect to see more things from GDPR as it evolves.”
Have there been any notorious shortcomings to what GDPR set out to do and if so what do you think needs to be done to rectify these mistakes?
Nadine Ghosn Eid: “Every legislation or every law has some loopholes. I would not call them shortcomings but rather disadvantages or challenges. When it comes to GDPR, there is somehow overregulation. One of the big downsides of GDPR compliance is the cost to achieve it. Several companies have adopted extensive and costly adjustments to their operations in order to meet the GDPR’s requirements on documentation and procedures. And in order to become compliant, it is not enough for companies to update their internal policies. They must also appoint a Data Protection Officer and ensure that all their products take a privacy-first approach in their design. This, in itself, means additional cybersecurity features that need to be included in software architecture, and hence more work for developers. Also, the complexity of the regulation requires companies to hire expensive lawyers especially to avoid the huge penalties resulting from breaches.
What needs to be done to improve the regulation? I believe that data protection authorities can create a level of guidance that takes into account all the challenges faced in GDPR compliance. They can create dialogue and exchanges of experience with all concerned stakeholders. In addition, the guidance should contain more specific advice in the form of examples, checklists, and templates.”
How has GDPR been adopted by countries outside of the European Union? Are there any success stories?
Nadine Ghosn Eid: “Since its entry into force in May 2018, the GDPR has had a significant impact on data protection policy and enforcement beyond the EU, and it extended many of its data privacy protection to users’ data globally. GDPR has had various effects in different countries. There are certain cases of GDPR enforcement outside the EU. Some countries have incorporated GDPR provisions into their national legislation. Some have attempted to regulate data processing rules based on international treaties, while others took no steps in legislating rules on data privacy. More than one hundred countries have adopted data privacy laws after GDPR. In the Middle East, countries like UAE, Bahrain, KSA, Qatar, Egypt, Iraq, and Lebanon have all adopted data privacy rules.”
What do you expect for GDPR during the upcoming 5-10 years?
Pantelis Angelides: “I am very optimistic. To set the scene, we have seen GDPR come a long way since its implementation and, to the credit of the organizations that comply with GDPR, they came a long way as well. I know that they struggle on security, data transfers, and new technologies. We have seen a lot of speculation on what new technologies will bring in the privacy sector, like blockchain, for example, like artificial intelligence about profiling. With a little data, they can profile individuals very easily. So all these are the challenges and I am sure that we expect GDPR to maybe cover this as well in the future.”
“What we expect, not in the long term but in the short-to-medium term, is the certification under articles 42 and 43. As we all know, it is expected that there will be certifications, so we need some common criteria for organizations to put their frameworks under audit and they will get some kind of certificates. That would be the next thing. We expect that there will be some more solid mechanisms, as Nadine mentioned earlier, which need to be approved, what is okay to do and what is not okay to do.”
“Complexity with new technology will continue and this, I believe, will create more requirements to amend the regulation at some point because, at the moment, we have very few articles that touch on new and innovative technologies. And I believe the challenge will continue on the Big Four technology giants and others to limit their choices, because at the moment they do a lot of processing without people knowing. The EU, as they mentioned in their strategy, because every two years they renew their strategy, they want to bring GDPR to the rest of the world, so they want to go global and I believe the effort that third countries are doing at the moment, it will be a joint effort, so there is a more calibrated data protection framework as we go into the future.”