GDPR still a channel pitch three years on

The General Data Protection Regulation (GDPR) is now three years old, and while it might not have the same buzz it did when the rules were first introduced, the regulation can still provide a profitable pitch for the channel.

Over the past three years, a few things have changed that have kept GDPR a focus of attention for data management and protection specialists. First, the threat of fines has started to be translated into reality, and second, the impact of the Covid-19 coronavirus pandemic has accelerated the hybrid working environment, resulting in data being spread more widely.

Rob Elliss, EMEA vice-president for data security at Thales, said changes caused by the coronavirus pandemic had given the channel a fresh angle to talk about GDPR compliance with customers.

“When GDPR was first drafted, the legislation did not necessarily account for the adoption of new technologies and rapid migration to the cloud brought on by the pandemic. In this remote working era, businesses needed to digitally transform almost overnight just to keep the lights on, without necessarily incorporating security into the design of new systems and processes,” he said.

“As we navigate this ‘hybrid era’, with some companies promising a ‘work from anywhere’ mentality, including abroad, organisations must be aware of the compliance implications of any remote working policies they put in place,” Elliss added.

Adam Brady, director of systems engineering at Illumio, said the GDPR, on its third anniversary, was now better understood.

“While initially slow-going in terms of clear impact, understanding around GDPR – its implications, scope and potential fines – are mature enough now that it’s a consideration unlikely to be missed by organisations or the public. One clear area in which GDPR has been successful [is in ensuring there] is at least some understanding by individuals that data about them is valuable and needs to be protected,” he said.

“Three years after GDPR came into effect, it looks like the authorities are beginning to crack down harder on organisations that don’t comply”

“It took some time for real GDPR fines to start being applied at levels that meant something. In 2020, and into this year, [there have been] significant fines in the $20m+ range for breaches and mis-handling of data,” Brady added.

The pressure to look after data has not diminished, however, and GDPR still requires the channel to help customers manage sensitive information. That challenge has become even harder with a disparate environment, as the hybrid working world starts to become established.

“Organisations need to adopt consistent processes for identifying and classifying personal information and recording where it is located throughout the enterprise,” said Lynda Kershaw, marketing manager at Macro 4. “This will involve retrospectively classifying a huge amount of historical information, and that’s an area where many of the businesses we work with are focusing right now.”

Kershaw agreed that, after a slow start, the fines were starting to become a serious consideration for firms, and not paying attention to the demands of GDPR was an increasingly risky strategy.

“Three years after GDPR came into effect, it looks like the authorities are beginning to crack down harder on organisations that don’t comply. Across Europe, the total value of fines for compliance violations stands at €282,423,088, but over 61% of this – by value – is from fines imposed within the last year,” she said.