It’s now over four and half years since GDPR came into effect. Compliance has passed into the vernacular, the culture, and the day-to-day practices of organizations. The problem with this is that, for some organizations, it has also merged into the background.

Does everybody observe GDPR or are some confident that, having ticked all the right boxes on its introduction, their governance framework will cover them? GDPR is not a responsibility that can be laid to rest just because you put in place policies and procedures. It’s like that nagging sign you often see in service station forecourts: ‘Have you checked your oil?’ How often do many of us realize, when we see the sign, that we haven’t; not for a while? How many organizations, for example, have a confident view of what’s going on deep down in their unstructured data?

Perhaps it’s time for a 10,000-mile service. There’s a reason for that ‘R’ in the GDPR acronym; it’s something you have to do. It’s regulated, and that means it’s subject to a spot-check and, as Microsoft might be among the first to tell you, such checks are not just cosmetic, they go deep: ““Microsoft 365 faces darkening GDPR compliance clouds after German report”.

The Fundamental Principles of GDPR

By way of a reminder, the officially-listed seven principles of GDPR, applicable globally, are:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

To be considered robust, any organization’s data governance framework is, or should be, based on these principles. This is not just about Best Practice, it’s also about common sense and, to be honest, corporate integrity or Governance, Risk, and Compliance (GRC). The European Data Protection Board (EDPB) assessed WhatsApp, owned by Meta Platforms, as having been in breach of the GDPR Transparency obligation, leading to the issue of a €225 million fine by the European Union’s General and, in terms of ‘going deep’, the court is now looking closely at Instagram and Facebook.

As much as the focus of such enforcement is on protecting the rights of the individual, your customers, or other third parties, it is a surefire way of protecting the organization. The downside of non-adherence to these principles is hardly worth dwelling on. 

Check your GDPR stance

Back with the ‘oil-checking’ analogy, if you leave your car to its own devices for long enough, your engine will seize up. You’ll curse yourself for not having taken the basic precautions to avoid looking irresponsible. You’ll find yourself involved in huge expenses that could quite easily have been avoided. 

From an organization’s perspective, failure to keep your GDPR compliance topped up equates to dropping your guard on one or more of the seven core GDPR principles. ‘Looking irresponsible’  can be more weightily referred to as reputational damage. For an example of  ‘avoidable expenses’, look to Amazon, reportedly having been hit with the largest GDPR fine to date, at $780.9 million (€746 million).

There’s no harm whatsoever in lifting the bonnet, or popping the hood, to make sure you’re running a well-oiled GDPR strategy. There could be plenty of harm if you don’t.

The UK Data Reform Bill, updating the GDPR framework, is on its way. It will more than likely necessitate organizations needing to reassess, and possibly even re-align, the policies and procedures they have currently in place to ensure GDPR compliance. It’s critical to note that US organizations are not immune to GDPR, as the examples of Microsoft and Meta Platform clearly illustrate. 

If a US website receives visitors from the EU, those visitors browse and click and interact within the full protection of GDPR. How their personal data is processed can fall under GDPR scrutiny, as can the use of cookies. 

Handled sensitively within the organization, however, the evolution of GDPR can present opportunities within the digital world. It’s easy to interpret the whole legal force field that surrounds it as being restrictive but, managed correctly, it can be potentially commercially liberating. 

Full clarity on proposals under consideration include (but are not limited to):

• AI Coming of Age: “…reforms to create more certainty for organizations about when and how they can responsibly use personal data with the development of cutting-edge data-driven technologies.”
• Making it Easier to Serve Customers Better: “…reducing disproportionate burdens on businesses and delivering better outcomes for people in relation to the processing of personal data.”
• Boosting Trade and Reducing Barriers to Data Flows: “… reforms to create an autonomous UK international transfers regime, which supports international trade and eliminates unnecessary obstacles to cross-border personal data flows.”

Design for the Future

In many ways, the initial introduction of GDPR was designed to prevent Big Data from getting out of control; to avoid the ‘Big Brother is Watching You’ syndrome. We’ve come a long way since 1984. We’ve also come a long way since 2018. Now we’re set to adopt a mature approach to data protection that acknowledges that organizations misuse data on occasions largely by accident rather than design. All the organization has to do is eliminate any tendency towards being accident-prone.