Two years on: Has GDPR been taken seriously enough by companies?

Despite limitations to its enforcement, businesses should not look to dodge GDPR regulation, but embrace it

Over the last two years, you have undoubtedly been bombarded with notifications and pop-ups regarding your personal data every time you click on a website, and since the introduction of the General Data Protection Regulation (GDPR) in Europe, we’ve spent a lot more time thinking about who we grant access to our data, and whether it’s used responsibly, aligned to our consent. These pop-ups are often irritating when scrolling through the Internet and shopping, something that has no doubt been exacerbated under lockdown conditions for all of us.

In the current pandemic, the conversation around privacy has heightened. Not only has Brave issued a complaint highlighting that not enough fines have been handed out to companies failing to comply with the regulation, but, amidst calls for a relaxation of existing rules to enable companies to use our data to fight the pandemic, some say GDPR has never been more relevant than it is today, with more remote workers on private networks and increased data risk exposure to the workflow. Privacy regulators across the continent have been working around the clock to issue guidance on the legal limits of the technology, aimed at tracking the spread of the COVID-19 pandemic. But, should the rules around GDPR be relaxed right now, and what exactly have we achieved in the past two years?

GDPR under crisis conditions

Consumers globally have been more willing to share their personal data with organisations and governments in the face of the pandemic, in an effort to ‘do their bit’ to help track the spread of the virus. When given a choice between privacy and health, most will choose health, and if given a good purpose for giving away personal data, consumers will tend to do so. This is often referred to as the ‘data-value exchange’. This can be seen in countries, including Israel, South Korea, Singapore and Taiwan, that have been quickly implementing technology using data from smartphones for the likes of contact tracing and quarantine control. However, without a regulation similar to GDPR in these countries, concerns have been raised that some of the data collected is so detailed that individual people can be identified from it and privacy abuses will follow.

Unfortunately, this choice between privacy and health is a false one, as we all can and should enjoy both privacy and health without negatively affecting efforts to tackle the pandemic. The tools, technology and processes that have been put in place to deliver GDPR compliance as a defensive programme can be leveraged by businesses as a competitive offence for faster innovation and better business analytics, to help mitigate the effects of the pandemic. The companies that have already invested in a data governance and privacy strategy in compliance with GDPR are positioned to share their anonymised data insights and collaborate with others on critical projects. 

Undermining the problem

Currently, not all organisations have a robust data governance, data privacy or data management strategy in place. Many see implementing extra technology as a cost, but the technology deployed for GDPR compliance can also help to implement a robust data management strategy, as well as with achieving compliance. Thinking about these technologies as a balancing act between increasing risk and cost, and more exposure for new opportunities to a business, has led many to differentiate and innovate at a slower pace, taking more time than they need to undergo digital transformation and implement a robust data strategy that accelerates value creation.

It has never been easier to utilise technology to support organisations in automating a good data management strategy. Five years ago, if you wanted to carry out a data audit of your sensitive information, it was often a manual, laborious and time-consuming process. But today, with AI and metadata-driven discovery tools available that can catalogue this data quickly and automatically, the process is much quicker, despite working with larger, globally dispersed, and more fragmented data sets. With AI-based discovery tools deployed, businesses can help ensure they always have access to the most up-to-date, relevant information to support high quality decisions to drive revenue generation with lower risk of abuse.

At a time when businesses have access to more data about their customers than ever before, an important element of being an ethical, trustworthy organisation, is how carefully and responsibly it manages that data exposure, in line with privacy policies. Smart business leaders know that they don’t own the customer data they collect – they are responsible stewards of it! By keeping it safe and only using it for permitted purposes that align to customer instructions, organisations can win customer trust, preserve loyalty—and in turn, create better customer experiences and business outcomes, all from actively complying to the GDPR.

Despite limitations to its enforcement, businesses should not look to dodge GDPR regulation, but embrace it and the benefits that it can bring through improved data governance best practices. Its potential has been recognised across the world and is manifested in new laws, from the Lei Geral de Proteção de Dado (LGPD) in Brazil to the California Consumer Privacy Act (CCPA). Perhaps most importantly, the GDPR doesn’t just enable innovation, but at a time when the world is becoming increasingly turbulent, it reminds us and grounds us in the knowledge that we have rights over our own privacy, and on a much deeper level than consenting to yet another cookie policy.

Greg Hanson is a vice-president EMEA and LATAM at Informatica. His work currently includes Master data management, Cloud integration, Data Security, Data as a service & Data governance. His opinion piece was originally published at Information Age to mark the second anniversary of the GDPR. 

Similar articles