GDPR Turns Four: What Impact Has It Had on Consumer Data & Privacy?

Today marks the fourth anniversary of GDPR. How has it changed the way the world does business? We asked several business leaders for their thoughts on the impact GDPR has made…

The world has changed dramatically since the General Data Protection Regulation (GDPR) first came into force all the way back in 2018. The EU’s regulatory change upended the way many professionals operated, and mere mention of the GDPR can still give marketing and data leaders flashbacks. But as today marks the fourth anniversary of its introduction, it’s a great time to take stock and assess the GDPR’s impact on marketing, data, and the business world in general. reached out to several thought leaders from across the industry for their views on the impact of GDPR on business. Insights include analysis from Kevin Kelly (VP & GM, Global Compliance Solutions, Skillsoft), Michael Queenan (CEO of Nephos Technologies), Kris Lahiri (CSO of Egnyte), and more. Check out their thoughts below.

Michael Queenan, CEO and Co-Founder at Nephos Technologies

“Our personal data is anything but personal. Currently, the large corporations and government institutions that collect our personal data are responsible for using and selling it. Although GDPR introduced rules on how such organisations should handle and protect this data, it arguably did not go far enough as it does not specify exactly what businesses can and cannot do with their customers’ personal information. For individuals, therefore, there is a huge loss of control over their data.

“Over two years on from Brexit, the [UK] government has announced a new Data Reform Bill to move away from the GDPR regulations we had to comply with under the European Union. Getting more robust data privacy regulations in place will enable the UK to lead the way in this area and flourish in the future. However, my concern is that it looks like we may be going the other way and making the regulations more relaxed. I hope that such legislation protects the consumers – especially the most vulnerable. Whilst I recognise that it is a big ask, forbidding data profiling of under 18s is a crucial aspect of enforcing data privacy.

“A new data privacy strategy could offer huge benefits to businesses as well as individuals. Being a ‘data protector’ is increasingly becoming a badge of honour. We are seeing consumers making deliberate choices about which companies to transact with based on their data privacy and management practices. The increased fines for non-compliance proposed with the new Data Reform Bill will only reinforce this and force all businesses to be responsible with personal data and use it with the individual in mind, rather than for their own gains.”

However, for all the good to have come from GDPR, actually, there are still problems that are yet to be solved. Primarily, the simplifying and clarifying of responsibilities around cross border data transfers.

Jakub Lewandowski
Legal Director and Global Data Governance Officer, Commvault

Jakub-Lewandowski Commvault

Jakub Lewandowski, Legal Director and Global Data Governance Officer at Commvault

“Four years on from when the EU’s GDPR came into effect, with the benefit of hindsight, it turns out the long-awaited regulation could have been just in time. Who knew a global pandemic was just around the corner and that we were on the cusp of an explosion in data growth and acceleration of cloud-based business? Essentially, GDPR passed its first big test, as companies found they could agree how to share responsibilities and shift workloads and business processes to the cloud.

“However, for all the good to have come from GDPR, actually, there are still problems that are yet to be solved. Primarily, the simplifying and clarifying of responsibilities around cross border data transfers. Perhaps now the UK Government will try to address this by creating a more favourable environment for companies operating in the data sector to drive competitiveness?

“We are yet to see where the new data reform will lead us. GDPR and UK GDPR respectively introduced a lot of extremely useful concepts and mechanisms, most importantly they helped develop a common language to discuss privacy and data protection issues. As with any legislation with multiple stakeholders involved and affected, certain choices and priorities had to be made. Perhaps now is a good time for the UK to strike a better balance on some of the items. It would not be wise to throw the baby out with the bathwater.”

Kevin Kelly, Vice President & General Manager, Global Compliance Solutions at Skillsoft

“GDPR has prompted significant improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data. One of the ideas behind GDPR was to assure consumers that their data will not fall into the wrong hands. For the most part, consumer data and privacy is now considered a top priority by leading companies.

“The checklist below is a good way to ensure that your organisation remains in compliance with applicable GDPR regulations. Ask yourself the following questions as you ensure that the business changes your organisation has made since GDPR was implemented will have a lasting impact:

  1. Have you made it clear that your organisation is taking GDPR seriously? Raising awareness will help you to educate the entire organisation about procedural and operational directives – and ensure that your team has a clear understanding of your expectations regarding compliance.
  2. Have you suspended all non-compliant data collection? At this point, the answer should be a resounding “yes!” But also ensure that your organisation continues to put policies and procedures in place to allow the acquisition of legitimate consent – wherever and whenever data is being collected.
  3. Do you identify and log all current data? Without an understanding of what data you have collected from individuals, you cannot implement data handling and storage procedures that are genuinely effective. Make sure that you continue to perform audits of the data you are collecting for a complete understanding.
  4. Do you continuously review your data practices? Though you may be in compliance with GDPR now, it is imperative that you continue to review your data practices. Ask yourself if your current governance practices are sufficient enough to comply with GDPR. Especially pay close attention to overseas movement of data to ensure storage and processing remains on the right side of the law at all times.
  5. Have you clearly communicated your intentions to your employees and customers? Create/redesign your organisation’s literature to clearly communicate the rights of individuals when it comes to their personal data. Take every opportunity available to you to reiterate your commitment to protecting personal data.
  6. Do you have a data protection officer (DPO)? Who is your DPO? Every organisation should appoint a data protection officer to ensure you are properly applying relevant laws protecting individuals’ personal data.”

Phil Dunlop, VP EMEA at Progress

“As part of heightened cybersecurity measures in the increasingly digital world, GDPR compliance – the effective collection, store and usage of personal data – is paramount for organisations in all industries. As we enter the fifth year of GDPR regulations, organisations have improved their GDPR literacy, but threats remain in the gaps of understanding around the potential for security breaches.

“To be fully GDPR compliant, an organisation’s file transfer systems, which fall under the definition of processing data, must be secure. By securely tracking all file transfer activities including authentications and modifications, IT and security teams can provide proof of compliance.

“Some best practice GDPR compliance tips include:

  • Ensuring that senders and receivers are authorised, with centralised control and visibility to all file transfer activities involving personal data
  • Centralised, tamper-evident audit logging ensures data can be trusted for accuracy
  • Securing personal data against internal and external threats, loss or damage is also critical, therefore automatic file integrity checking can validate that a file has not been altered
  • Having a robust GDPR-compliant framework in place will extend your cyber security practices, boosting customer trust and loyalty.

“By using customer information effectively, an organisation can make better business decisions and ensure a better return on tech investments.”

The four-year anniversary of GDPR’s enforcement reminds us of the importance of safeguarding mission-critical content amid rising cyberattacks and the shift in how unstructured data is accessed in today’s remote/hybrid work environment.

Kris Lahiri
Co-Founder and Chief Security Officer, Egnyte

Kris-Lahiri-Egnyre headshot

Kris Lahiri, Co-Founder and Chief Security Officer at Egnyte

“GDPR has served as a major framework for subsequent privacy regulations, which is why companies that pay close attention to satisfying GDPR requirements are in a good position for other regulations.

“The four-year anniversary of GDPR’s enforcement reminds us of the importance of safeguarding mission-critical content amid rising cyberattacks and the shift in how unstructured data is accessed in today’s remote/hybrid work environment. It’s become increasingly difficult for organizations to not only manage their expanding volume of content but also to effectively secure it. If companies can’t see the full extent of their data, then they can’t properly govern it.

“As data privacy requirements continue to increase across the world, it’s imperative that organizations have total visibility into their regulated and sensitive data. By establishing effective data governance programs that can evolve with rapidly-changing requirements – in addition to ongoing cybersecurity awareness training – businesses can stay on top of regulations, as well as potential threats like ransomware.”

Donnie MacColl, Director of EMEA Technical Services at HelpSystems

“There has been some concern around the impact of the UK’s potential divergence from European data protection standards, and what role the Data Reform Bill (referred to as “the Bill”) will play. That’s understandable given any legal/regulatory changes always have the potential to impact the way organisations can market themselves to people, for example.

“In particular, concerns have been raised that organisations won’t be able to use personal data to optimise the sales process. While this is likely to become more challenging, there is a strong argument to say that, like GDPR, the emphasis must remain on keeping personal data more secure. The Bill seeks to strike a balance between data protection and the ease of doing business and that is to be welcomed.

“As for regulation and enforcement, the Information Commissioner’s Office (ICO) will become more accountable to the government and citizens. But for this to happen, we need to see the ICO modernise to ensure it has the powers and resources to take appropriate “stronger action” against businesses that breach data rules.

“At present, however, the Bill is more of a statement of intent rather than policies that are set in stone. It remains to be seen how the government will move forward as further detail emerges.”