• Philip Dutton, Co-Founder at Solidatus


• 18.06.2021 10:00 am
#GDPR

Three years ago, GDPR was born and blasted a wind of unprecedented change upon organisations. It ushered in a new era of enhanced data protections – or that was the intention. By 2022, more than 1 million organisations will have a data protection officer according to Gartner[1], while privacy-driven spending on compliance tooling will climb to over £5 billion in 2022.

But, in many cases, GDPR has been treated largely as a box-ticking exercise, pushing the complex and delicate matter of compliance to be performed with a certain feeling of resignation or obligation. 

The introduction of GDPR also instigated much more than a heightened awareness of data privacy. It began a domino-effect of additional country-specific and international data legislation which, in turn, created a complex legal landscape for multi-national businesses to navigate. 

It now has around 128 siblings all over the world, such as the California Consumer Protection Act (CCPA), the Brazilian General Data Protection Law (LGPD), the Personal Data Protection Act 2012 (PDPA), the New York Privacy Act, the India Data Protection and the Malta Data Protection.  Vietnam expects to implement its new Personal Data Protection Decree shortly, so the spread of privacy legislation is not slowing down any time soon. 

Plus, with the UK’s departure from the EU, GDPR took on a new face with its acclimatisation to a post-Brexit nation.  

GDPR also introduced considerable fines for non-compliance, and with a total of £245.3million levied since it came into force, has demanded vastly more sophisticated data management processes within some of the world’s largest businesses. It is particularly acute for banks – and it seems like this is an issue that they are struggling to handle. 

According to one survey, last year nearly 200 fines were levied against financial institutions in 2020[2] for data privacy and compliance breaches - an increase of 141%. This process clearly demands a much wider-reaching strategy than a simple compliance project. Keeping up with the numerous international developments when it comes to data privacy requires a continual approach if businesses wish to stay on the right side of so many laws. 

As regulations proliferated, the operational burden has driven businesses to find efficiencies within their own structures, through understanding their internal information practices and flows in greater detail. 

Still, monitoring over 1,000 regulatory bodies on an international basis, which between them issued almost 57,000 alerts on regulation in 2019 alone according to a Reuters report, is a mammoth task. 

The amount of data and related regulations flowing through the world's organisations will only increase still further. Developing institutional methods to keep pace with these changes is more than a matter of threats of fines, for the successful business it also leads to operational advantages.

Organisations need to take stock of their data compliance and operations, and work towards a better GDPR posture for the coming three years and beyond, for the good of their customers, reputation, and finances.

With that mind, here’s five things businesses can achieve, if they harness the capabilities of today’s cloud-based data management platforms like ours: 

1. Use obligatory regulatory spend to achieve compliance and a 360° view across your organisation to capture positive returns on initial privacy investments. 

2. Implement a tool to cover all global data protection regulations, in an agile and scalable way, indicating the delta where there are differing regulations for each region/country. Collectively, this reduces the cost of regulatory compliance for multi-jurisdictional organisations.  

3. Significantly reduce compliance costs by taking a proactive approach to all personal data regulations. Organisations can clearly document and audit their data landscape, providing privacy impact assessments instantly. 

4. Mitigate significant reputational risks associated with a data breach and avoid regulatory fines and sanctions by tracking personal data, its use, and how it interacts with your organisation’s systems and processes. 

5. Demonstrate to a regulator how and when Privacy Impact Assessments (PIA) were conducted and prove how information is accessed, collected, stored, used and deleted.