“How can we address GDPR fatigue two years down the line?” asks Colin Truran, principle technology strategist at Quest
GDPR was introduced to drive a stronger culture of data protection and it came at a transformative time. Many organisations were facing the intersection of on-premises and cloud storage, while also trying to balance data protection with the need to innovate. Already consumed with infrastructure modernisation and cloud security, organisations added GDPR readiness to their seemingly endless list of strategic business initiatives. However, two years down the line, just how successful has GDPR been and how seriously did businesses take the regulation?
Prior to GDPR, we saw many organisations hoarding as much data as possible, with the hope it would enable the sales team and drive business decisions. As we continued to evolve in today’s digital world, organisations were gaining unparalleled insights into the way we live and work. With more and more highly sensitive data at risk, GPDR was designed to not only make organisations more accountable, but to force business leaders to rethink their data strategies – creating a more transparent and open approach.
GDPR in its early days
To some extent any information or policy which aims to enhance data protection is a good thing. Even if organisations don’t react immediately, they are aware that steps will need to be taken and GDPR has certainly brought data protection to the forefront of the business agenda. However, while there was at first a rush to comply, it seems that organisations are getting GDPR fatigue.
In its early days, there was an onslaught of communication from businesses across all sectors, as they rushed to update every customer in their database. Many of us will remember the tidal wave of privacy policy update emails which hit our inboxes. We also saw the Marriott hotel chain and British Airways hit with heavy penalties. There was also an uptick in fines issued for offences pre-GDPR as the ICO looked to enforce its regulation.
How GDPR has evolved and the role of the ICO
However, we are now starting to see repeat offenders, reports that the ICO is struggling to meet demand and a possible relaxation of the rules due to the current COVID-19 pandemic. All of which has started to question how successful GDPR has been and how will take shape in the future. We knew GDPR would open-up a can of worms from the outset, but organisations still have a responsibility to meet this regulation.
So far, GDPR has played a key role in forcing organisations to recognise data protection, but it’s important to remember that this is a baseline and not the end goal. Organisations need to find new ways to reengage themselves with the GDPR framework. It shouldn’t just be seen as a burden, but instead it presents a fantastic opportunity for organisations to actually stand out against their competitors and build real trust with their customers and users. GDPR hasn’t just changed the way businesses recognise and valuable data, but it is also causing more customers to think about how and where their information is stored. Businesses should also consider reviewing and adapting their GDPR framework so that it can remain relevant to what is happening in their business environment.
Two years down the line, we should also think about the role of the ICO and if they wish to be seen as an authority which only levies fines, or if there is any opportunity to work in partnership with organisations, helping businesses to learn from their mistakes. We are slowly starting to see this happen, and recent decisions such as the ability to postpone fines during COVID-19 shows continued efforts of the ICO to be seen as a force for assistance, as opposed to just enforcement. However, this is a line which we need tread to carefully. While it would be great to work in partnership with the ICO, we need to be careful not to relax the rules on data protection, otherwise we are in danger of making some rash decisions and the ramifications of which could be felt for years to come.
Above all else GDPR is about making sure that every organisation has data privacy high up their action list and is not just thinking that if they keep their heads down, they will go unnoticed. We need to have a balanced approach as any organisation large or small, tech or charity has the potential to hold and subsequently lose personal information. While fines can be levied, changing the mindset of the way organisations run their day to day businesses is no mean feat. GDPR is an on-going process, and it is likely the regulation will continue to evolve – however to be successful there needs to be an element of partnership followed by tough penalties for those that fail to comply.
Personally, I would love to see organisations striving to take data protection to the next level. Businesses need to be more transparent with the personal data they are gathering and how this will be used.