Today is GDPR day, or rather the 5th anniversary of the EU’s General Data Protection Regulation (GDPR), which is marked on May 25. GDPR has changed how many businesses operate, although the process has not been to the satisfaction of all parties – both companies and individuals. How successful has the regulation been and what are some of the ongoing ramifications?
George Gerchow, IANS Faculty and CSO and SVP of IT at Sumo Logic, tells Digital Journal that GDPR is not a piece of legislation that stands still: “The General Data Protection Regulation (GDPR) is an evolving regulation, and there are several developments expected in the coming years.”
In terms of what could drive the updating of the regulation, Gerchow cites:
In terms of new technological developments, in both the business and consumer sectors, Gerchow says: “As new technologies such as artificial intelligence and the Internet of Things become more prevalent, there will be a need to assess their impact on data protection and privacy. The European Data Protection Board (EDPB) is expected to provide guidance on the application of GDPR to these technologies.”
New forms of communication require new methods to protect data. Here Gerchow finds: “The European Union is also working on a new ePrivacy Regulation, which will complement GDPR by providing specific rules on the use of electronic communications data. The regulation is expected to be finalized and adopted in the near future.”
Noting these two main drivers, Gerchow assesses: “Overall, GDPR is likely to continue to evolve and adapt to new challenges in the coming years, with a focus on protecting individuals’ privacy and personal data in an increasingly data-driven world.”
Looking at the GDPR issues from a different perspective, Larry Whiteside Jr., CISO of RegScale considers the influence of the regulation upon other privacy measures in other counties, notably the U.S.
Whiteside calls out: “Reflecting on another year of GDPR reminds me that the mere existence of this regulation has been a global game changer. From California Consumer Privacy Act of 2018 (CCPA) to the Personal Information Protection and Electronic Documents Act (PIPEDA), GDPR has been driving the notion of data privacy across the globe. To me, it’s a good example of what potential global policy could look like. Looking back at 2021, though the fines were not the highest we’ve seen, there were still some very hefty fines levied in 2022 with Meta and Clearview being the two organizations hit the hardest.”
As well as geographical reach and business developments, Whiteside sees GDPR as having been sufficiently robust in the face of data breaches: “There are also two additional things being worked in the background to enable GDPR to keep up with the new threats to data privacy and reduce some of the current complexity that exist in its current state.”
Considering the U.K., Whiteside sees the government as appearing to be unsure as to how to handle societal and technological changes and challenges: “There is currently a Data Protection and Digital Information Bill, which had its first reading in May 2022, that seems to be stuck. This new bill seeks to simplify GDPR and make it more agile to adapt to the needs of organizations trying to create data privacy policies and architectures that enable them to meet the specific controls of GDPR.”
Another area that requires addressing is artificial intelligence and the possibilities and dangers that the technology presents, which Whiteside sees as: “Additionally, in an effort to combat the risks being introduced due to the AI phenomenon, there is work that is being looked at to identify the intersection between the Artificial Intelligence Act (AI Act) and GDPR. The outcome could be very interesting in how organizations meet GDPR as it relates to privacy data and artificial intelligence.”