GDPR 4th anniversary: the data protection lessons learned

On the 4th anniversary of the EU General Data Protection Regulation (GDPR) becoming applicable for businesses, we explore the lessons that tech leaders have learned since

The GDPR law came into effect for organisations across the EU, replacing the Data Protection Directive 95/46/EC, on the 25th May 2018. Ever since, largest of corporations have been caught out, leading to millions being dealt in fines at a time. The largest to date include the $847 million enforced on Amazon in the summer of 2021; WhatsApp‘s $255 million fine in Ireland in September 2021; and the $56.6 million imposed by French regulators on Google in January 2019. Indeed, regulators have looked to crack down on opaque data practices in big tech.

But as we observe the 4th anniversary of GDPR, what have tech leaders of organisations learned from the last four years when it comes to keeping data properly protected?

A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.

Going the extra mile

Placing privacy and security at the front of mind, will be a key differentiator for businesses operating in a competitive market. With this in mind, threats inside and outside of the organisation need to be taken into consideration.

“As we mark the 4th anniversary of GDPR, it’s clear that many organisations are still doing the bare minimum when it comes to achieving compliance – and exposing themselves and their customers to threats both internally and externally,” said Rob Otto, EMEA field CTO at Ping Identity.

“Going the extra mile and implementing further protection for individuals – such as holistic customer identity and access management (CIAM). When it comes to businesses implementing GDPR effectively, a CIAM setup is vital to meet the requirements for both employees and customers. This is because CIAM solutions offer key capabilities including data consolidation, consent capture and management, data access governance and end-to-end security – consolidating all the key components need to meet the regulation, along with streamlining them effectively – making it cost-effective too.

Otto went on to state the importance of security solutions being considered as part of the overall customer experience – not least because a data breach will result in a loss of customer loyalty.

“Ensuring that security solutions are seamless, invisible and human-centric will be the next evolution of meeting GDPR compliance,” he added.

Digital identities

The buzz around new online and virtual infrastructures such as the metaverse has demonstrated that digital identities will continue to evolve over the coming years, becoming increasingly prominent in the business world. This will call for a rethink of identity management approaches to ensure that data stays protected, and fraud mitigated.

According to Radiant Logic CISO, Chad McDonald, “Due to the rise in digital transformation efforts, we are seeing an explosion in the number of digital identities that each business stores. As a result, controlling and managing identity data has become that little bit harder. Unfortunately, when organisations struggle to manage their identity data, they could potentially break GDPR rules.

“Organisations have been scattering their identity data across multiple sources which all use different protocols or are stored in cloud repositories which cannot connect to legacy technology. This identity sprawl results in overlapping, conflicting, or inaccessible sources of data. Identity data which is poorly managed makes it virtually impossible for IT teams to build accurate and complete user profiles. It can also result in siloed systems which increases the likelihood of a failure in identity management and expands the attack surface of an organisation.”

Accurate user profiles are important in helping security teams and systems understand what users should be accessing in order to fulfil their job. To address this need, McDonald recommends implementing an identity data fabric, that can unify identity data using various formats and protocols — regardless of whether assets are on-premise or in the cloud.

He continued: “With accurate identity data, security teams have complete control over who has access to what, and they can feel more confident that they’re meeting all the GDPR regulations.”

Advertising pitfalls

Although big tech corporations have been fined millions for GDPR breaches, Ryan McDermott, director of strategic alliances at HubSpot, believes that the regulation is “no longer fit for purpose” when it comes to advertising and online marketing. A major factor in this, according to McDermott, is the innovation of data capture outpacing regulation.

“As GDPR races to retrofit new legislative ‘add ons’ that most technology companies will have evolved well beyond by the time they’re implemented, GDPR is barely an afterthought for marketing professionals who are readying themselves for a much more seismic change this year: the crumbling of third-party cookies,” he explained.

“Because of that, advertisers will require new, privacy-respecting, non-tracking-based approaches to reach their target audiences. Now, then, is the time for businesses to establish what a value exchange between users and an ad-funded, free internet actually looks like – but that goes far beyond the remit of GDPR.

To increase focus on privacy in commercial settings, McDermott believes that major stakeholders such as Google need to “lead the charge” and collaborate when it comes to establishing a best practice on data capture.

“For the smaller businesses,” he added, “it’ll be about forming an allegiance with bigger technology companies who have the resources to navigate these changes so they can chart a course together.”

The Brexit dividend

“The recent proposed reforms to the UK’s data protection legislation in the Queen’s speech represent a desire to break away from some of the more rigid obligations of the EU’s GDPR. But businesses need to ensure they maintain the means to comply with international laws, while benefiting from the ‘Brexit dividend’ the new UK reforms promise,” said Mark Keddie, global director of privacy at Veritas Technologies, looking from a UK perspective.

To achieve this, Keddie says that airtight data segmentation policies need to be in place to enable compliant management of data from divergent markets differently. This entails being able to quickly identify where each customer is based, and implementing the relevant data controls in accordance with their local data protection laws.

Alternatively, Keddie recommends that businesses “decline international customers access to their products and services, which would likely have a significant impact on their bottom line or continue to follow the GDPR rules to the letter for all customers and potentially lose out on the Brexit dividend altogether.

“If the government does power ahead to relax UK data protection regulations, then without the right assurance in place, UK businesses may face an uphill struggle to manage international customer expectations, particularly when such customers are increasingly wary of the consequences of non-compliance in terms of legal, financial, and reputational damage.”


IT risk management best practices for organisations — Identifying the IT risk management best practices that CTOs must implement to keep the organisation properly protected.

Why large companies fall foul of rising data privacy legislation — Ekaterina Khrustaleva, chief operating officer of ImmuniWeb, explores the rise in data privacy legislation and why large companies are still falling foul of those laws.

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.