• Home
  • >
  • Editorial
  • >
  • Compliance and the importance of GDPR five years on

Compliance and the importance of GDPR five years on

With the fifth anniversary of the GDPR being introduced, it is important for businesses to examine why it is necessary and how they can best prepare for the next evolution of GDPR-style regulations.
compliance-and-the-importance-of-gdpr-five-years-on

Why GDPR is necessary for consumers and businesses 

The value of data has grown immeasurably for businesses in the last five years, let alone the last decade, catalysed by the pandemic and extraordinary technological advancements. This has meant that consumers are also more aware of the value their data holds to businesses, plus the rights they have to privacy.  

“There is so much noise around GDPR now that it is not unusual to hear of data breaches from big, known brands,” said J Cromack, chief growth officer, Edit, and DataIQ privacy and trust champion 2020. “This can be catastrophic for the business, not only because the fine could be significant, but they will suffer reputational damage to their brand too.” 

Cromack continued, “I have always said that you should never sell GDPR compliance services based on risk and fear, it needs to be based on doing the right thing by the consumer. It is the right thing because, unfortunately, there are bad actors out there who want to get hold of your data and – because we now live in a digital world – it is much easier for these people to effectively create a digital twin in order to ‘become’ you.” 

Just this week, Meta was fined €1.2 billion after breaching GDPR in a high-profile case. This is the largest fine ever handed out for GDPR breaches, the previous record being held by Amazon which was fined €746m in 2021. 

GDPR compliance brings benefits 

As is frequently discussed by DataIQ members, compliance needs to be one of the cornerstones of a data-driven business. The way in which compliance is ensure has to be integral to the overall architecture and culture of a business aiming for data-led development.  

“It is absolutely essential that people do not just treat GDPR, or any form of data protection or information security management, as a compliance tick box initiative,” said Cromack. “It is vital that it is woven into the DNA of a business and that the individuals who are part of that process absolutely get it, because the weakest point in any compliance process is actually the human!” 

Compliance with GDPR also leads to businesses having to examine themselves and assess what their ultimate goals are. This is important for achieving company-wide objectives, but to also position themselves in a seat of trust with their target audiences. 

“Just because the regulation says you can do something, it does not mean you should,” said Cromack. “You must think about the type of organisation you are or that you want to be. What is your culture? What is your approach? How do you want to run your compliance processes? Are you truly ethical in your approach? If you go beyond the regulation to do what is right ethically for the consumer you are going to meet any requirements globally around data protection laws. I have always felt that being transparent builds trust with the customer, it shows them that you have the right controls in place to honour what you say you are going to do – or not do – with their data. As consumers start to value their data more and more, trustworthy businesses are the ones who will succeed.” 

This begs the question, what can businesses do to remain compliant and vigilant with GDPR? Firstly, businesses need to stop and assess why they are seeking compliance. 

  

“If your answer is that you just want to avoid getting a fine, then you have probably got bigger problems in your business,” said Cromack. “These laws are there to protect consumers – your customers. As an organisation, you should want to protect your customers; it is good for business.” 

Cromack continued, “You need to put strategy, brand and ethics before data. Without a strategy, you do not know what direction you are taking. It is so easy to get caught up in the ever-expanding ways we can collect data and, often, short-term metrics that have little impact in isolation can become the focus. You need a roadmap that holds the reason for your actions. That way you know what you are trying to achieve, and staying compliant and vigilant to GDPR becomes a baked-in aspect of your strategy.” 

Where is GDPR heading? 

As mentioned, the DPDI will be the latest evolution of the GDPR, but the story will not stop there. Following the excitement and trepidation surrounding accessible AI software such as ChatGPT, new regulations and guidance will follow once a consensus has been agreed.  

“Data regulations will have to put more emphasis on the ethical boundaries of what they can and cannot do with people’s data,” said Cromack. “I think that ethics will become a bigger part of it – have you followed an ethical framework around how you process people’s data? How are you using AI? We are also seeing a more digitally immersive world with things like the Metaverse. Perhaps that specifically might not take off, but I believe there’s going to be a world where games and experiences will be had on increasingly smart headsets, and those headsets can collect a lot of data – biometric data – on people; how your eyes are reacting, sweat, heart rate, the whole lot.” 

This means businesses need to double down on their transparency, openness and compliance to instil a sense of trust with their customers. Furthermore, the likelihood that regulations will maintain pace with the development of technologies is minimal, meaning that organisations need to emphasise their above-and-beyond attitude to data ethics and compliance preparedness.  

“I think we will also see the UK adopting a slightly more pragmatic approach to data regulations because of ‘privacy gone mad’ situations where people think they need a consent for every single cookie dropped onto your laptop or device,” said Cromack. “Often those cookies are purely there to improve the experience for the consumer, they are not there to suck data back to someone who is going to use your data badly. 

“But of course, there are cases where it absolutely needs to be monitored: If I go into a heart charity website, I do not want a third-party cookie tracking me looking at heart disease content, because that is special category data that could inform an organisation about my health. That information could have an impact on me – especially when it comes to insurance, for instance. This type of data collection absolutely needs explicit consent; people need to know that by going on a website, their data is going to be shared with X, Y and Z organisation. On the other hand, if you are going on a website and it is using your data to provide tailored messages and products to make your experience more enjoyable, why would you want to consent to that cookie? That should just be a legitimate interest, which is what the new regulation is pushing for.” 

Ultimately, the importance of developing trust with customers goes hand in hand with data ethics and compliance; you cannot have one without the other. Businesses need to invest time, energy and thought into their ethical approaches to data and then translate that story to customers, highlighting the benefits and security being provided. Customers are not going to lose knowledge of the importance of their data benefits – quite the opposite – meaning businesses need to adapt and embrace this newfound attitude.   

Upcoming Events

No event found!