The Long View: GDPR One Year Later

By James Canham-Ash

A lot has happened in the last 12 months. An international trade war between the U.S. and China kicked off; the United Kingdom (surprisingly) didn’t leave the European Union; 5G networks went “live” in a number of countries across the globe; David Attenborough made his big-screen debut on Netflix; a new leader took over the helm at Commvault; and the General Data Protection Regulation (GDPR) finally came into being – to name just several high points.

In many circles, the countdown to GDPR’s implementation on May 25, 2018 took on a similarly apocalyptic rhetoric to that which accompanied the hype around the “Y2K” Millennium bug in 1999, with companies, employees, members of the press and third-party consultancies all attempting to answer the million dollar question: what exactly would GDPR mean from both a theoretical and practical operational perspective?

Thankfully, one year after its implementation, the bruising barrage of fines and millions of anticipated “Right to be Forgotten” requests have simply failed to materialise just yet. 

To mark the one-year anniversary of this ground-breaking regulatory development, I sat down with Commvault’s Global Data Governance Officer, Jo Blazey, to get her perspective on the last 12 months; where we (the broader industry) are, in terms of GDPR compliance; and what still needs to be done.

Question: Jo, has GDPR actually worked?

Answer: For me, it’s a work in progress. So far it has certainly had an impact in terms of raising people’s awareness that their personal data is being used, but their understanding of how it’s being used is probably still low. This is because despite the transparency requirements of GDPR, explanations of how personal data is being used can be complex and lengthy, and in the digital world people want a fast user experience. This can result in people rushing to “consent” without fully appreciating the risk from sharing their information. 

Q. What was the most significant moment for GDPR over the last 12 months?

A. In my opinion it would have to be May 26 – “G-Day” plus one. What the day following the implementation did was to actually bring the reality home to businesses that GDPR was more than just a date in the diary and that compliance efforts would need to continue as part of business as usual practices.

I know you said “the most significant,” but I’m going to cheat and also say following May 26, the action by CNIL (the French regulator), against real-time ad bidding and its fine of €50m for Google’s contravention of the regulation was also an equally significant moment, too – not least because it showed the regulator was prepared to flex its muscles, but because it highlighted both the importance of the transparency requirement, and also the potential challenges of explaining personal data use in a way that can be easily accessed and understood by end users.

Q. What are the most common GDPR challenges you are still hearing about today?

A. Moving on from having a “GDPR Project” fueled by board focus, budget and a “hard” deadline into a sustainable data protection program that is empowered both to continue efforts and to tackle additional processing operations that weren’t reached by May 25 last year.

Q. What words of wisdom would you give to organisations about GDPR today?

A. Don’t be fooled by organisations claiming to be the “silver bullet” for GDPR compliance. The fact of the matter remains that there is no one-size-fits-all solution that you can plug in and simply press “go” to solve all the regulatory requirements associated with GDPR.

As we take stock and review the present state of the regulatory landscape, the key takeaway for us all should be this: despite the fact that we have arrived safely at the first anniversary without a GDPR apocalypse, it remains important that organisations continue to pay attention to how GDPR (as well as other global data protection laws), evolve; reflect how far they have come in their own compliance efforts over the last 12 months; and seriously consider what needs to be tackled in the course of the next 12 months.