After five years of data regulation through GDPR, TJ asks industry experts to share their thoughts on its success and look to the future

The world has certainly changed since General Data Protection Regulations (GDPR) came into force five years ago. The EU’s regulatory change developed a common language for businesses to discuss data protection and privacy, prompting significant improvements in governance, awareness and monitoring regarding the use of consumer data. GDPR has also adapted to suit the needs of evolving technologies, persevering through a period of massive innovation.

However, post-Brexit, with the rise of remote workforces and new tools like ChatGPT taking centre stage, does GDPR stand the test of time? Industry experts share their thoughts on the legislation and what the future of GDPR looks like for UK businesses.

Escalation of fines and penalties

In the lead-up to the launch of GDPR, experts warned organisations that stricter regulations and higher noncompliance penalties would be coming. The escalation of fines and penalties under GDPR reached close to $3bn over the last five years.

This can be largely attributed to the tremendous increase in the volume of data organisations have to collect, protect, and process year on year, explains Gary Lynam, Director of ERM Advisory at Protecht.

“The complexity of data processing is a big factor here too. A total of 1,446 fines have been issued since 2018 all varying in amount and addressing different-sized companies and violations. Statistically, the violations with the most fines are related to data processing non-compliance and let’s face it, with the likes of TikTok, British Airways and Ticketmaster being among the prominent names to have received fines, GDPR is clearly by no means a simple tick box process.”

“Creating a holistic generative AI governance structure that is sustainable, trustworthy, and transparent will require shared accountability between those developing the tool and those using it.”

On a positive note, reporting statistics from GDPR’s inception in May 2018 to present day show a general downward trend in incidents being reported to the ICO.

“Does that mean companies are getting better at protecting data and privacy or does it mean they are reporting breaches less frequently?” questions Richard Starnes, Cyber Security Strategy Director at Six Degrees. “ICO fines have risen in frequency and cost over the past five years, brand damage for breaches is now understood, and class action style lawsuits are becoming possible in the UK. This can have the consequence of causing companies to raise their data protection capabilities, but there is also an incentive to report breaches less frequently or at all. Let us not forget the recent case of the former Chief Security Officer (CSO) of Uber who was convicted of US Federal charges for covering up a data breach involving millions of user records.”

Step up or lose your footing

With weighty consequences for non-compliance, companies must take stock and consider much more broadly how their organisation is approaching data security, urges Hubert Da Costa, Chief Revenue Officer at Celerway.

“Take remote and field workers, for example. Since remote working has become commonplace, many employees frequently connect to corporate networks and work with sensitive customer data on the go without a practical and secure connectivity method. In addition, workers commonly access corporate resources through unsecured networks (such as public WiFi, home networks or personal device tethering), presenting a significant risk to data security and compliance.”

He adds, “creating a secure connection for remote workers – from those working at home to field engineers – is a vital step many organisations have yet to take. Five years from GDPR, it’s a long overdue step.”

The UK’s introduction of the Data Protection Reform Bill

Since Brexit, the UK has continued to follow GDPR, however, this is now all up for change. Vicky Withey, Head of Compliance at Node4, illustrates “as the Government now has the opportunity to tailor legislation that is focused within specific market sectors, potential reforms can help organisations to achieve their goals where GDPR has been too restrictive, preventing growth and prosperity.”

In April 2023, the UK Government announced its plans to introduce a Data Protection Reform Bill which is eagerly anticipated by organisations, legal and compliance bodies alike and will lead to a new wave of regulations and policies.

Alev Viggio, Director of Compliance at Drata, points out: “The challenge here is that many businesses will still have to adhere to EU GDPR and this new system pending their customer base – this can create confusion and complexities in any compliance programme, especially when considering the consequences of fines and violations if they fall out of compliance. Managing this manually facilitates the chances of human error, so adopting a continuous compliance approach via automation can vastly simplify the process of following data protection rules and understanding the overlap between various regulations to avoid redundancies.”

The rise in AI and ChatGPT

Not only has the UK government recently started working on the new Data Protection Reform Bill, but the dawn of AI has also led to the creation of the first UK National AI Strategy.

Withey elaborates: “The UK is planning to be the first leading AI superpower, but the risks must be carefully balanced against the right to privacy. With so much personal data being collected, processed, and stored, the potential risk for data breaches is significantly increased. By granting AI access to this data, it also increases the risk of personal data being manipulated to create fake identities for cybercriminals. But, as innovation in new AI and cloud-based technologies continues to grow, the appetite to attract new investors into the UK technology sector has never been so appealing.”

However, Jakub Lewandowski, Global Data Governance Officer at Commvault, adds: “The UK Data Protection and Digital Information Bill (DPDI Bill), which will ultimately replace UK GDPR, is already more extensive in its regulations around automated decision-making, while an AI Act has already been proposed in the EU too. Luckily, the experience that privacy professionals gained through building and implementing GDPR frameworks will be a great starting place when the time comes to undertake a similar process with AI.”

But with generative AI tools such as ChatGPT taking the world by storm, Asha Palmer, SVP Compliance Solutions at Skillsoft, argues it’s imperative that organisations develop and update governance around its usage in the workplace, considering the security, privacy, confidentiality and ethical implications.

“Creating a holistic generative AI governance structure that is sustainable, trustworthy, and transparent will require shared accountability between those developing the tool and those using it. All stakeholders must come together to understand the risks and consider what protocols are, or should be, put in place to ensure GDPR compliance. An effective governance structure must include risk assessment, policies and procedures, and testing and monitoring. Policies should be clear and prescriptive to all employees, supplemented with AI education and training that includes common uses and benefits, potential for bias, and the global AI regulatory landscape. This will support organisational exploration of the fundamental principles of AI governance.”

Five years of GDPR – the good, the bad and the need to evolve

Whilst GDPR has arguably come a long way, accompanied by some time-tested flaws, organisations must also remember that as working practice evolves, organisations’ data protection protocols cannot remain static.

“The best way for organisations to protect their data is ensuring an integrated governance, risk and compliance (GRC) approach,” Lynam concludes. “A centralised and cohesive system that simplifies evolving requirements of GDPR rules and its new UK Data Protection and Digital Information Bill, and effortlessly keeps pace with future regulatory changes and data protection challenges.”