Skip to main content

One year with the GDPR – what has (or hasn’t) changed?

(Image credit: Image source: Shutterstock/Wright Studio)

Apart from technology and business goals, peace of mind is a top priority for all IT teams. However, in the lead up to the roll out of the General Data Protection Regulation (GDPR) just over a year ago, most IT teams had a good deal of sleepless nights. From fears about how the new regulation would impact business processes to the huge fines for non-compliance, IT teams were scrambling to make sure everything was in place.

GDPR forced many organisations to reconsider their data collection processes, data portability and transparency around how data is used. It mandated them to store, maintain and protect data in a way that put customer and end user sensitivities first, with various undertones about potential impact if organisations and cloud service providers did not adjust accordingly.

For data centres and cloud service providers, in particular, there was increased impetus to provide GDPR-compliant services. Many vendors have worked on codes of conduct that will ensure that their services are hosted in European data centres and have appropriate policies governing data protection, privacy and access, as dictated by GDPR.

Data is the lifeblood of any organisation, but with the threat of heavy fines, strict guidelines and compliance regulations, the implementation of GDPR made organisations fear for the worst. No matter how you look at it, GDPR has certainly left its mark on the technology landscape.

It’s now one year since the GDPR came into force so now is a good time to review how much the regulation actually impacted the cloud and data centre industry.

The fines haven’t rained down

One of the main talking points of GDPR before its introduction was the heavy fines it would impose on non-compliant organisations - potentially reaching up to €20 million or four per cent of annual global turnover – whichever is higher.

In the first year since the roll out, the fines given have amounted to a total of €56 million. Most of this has landed on Google, who were fined €50 million by French data regulator CNIL for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation".

The majority of reported cases have been linked to data breaches. Out of the 206,326 cases report, about 65,000 cases were initiated on the basis of a data breach report by a data controller and 95, 000 were complaints. This can give the deceiving impression that as long as cyber security is covered, GDPR is covered. However, a closer look at reported cases will show an increasing amount of cases connected to data privacy and other data processes.

It might also seem like total fine to date is relatively small. But it is worth remembering that most data protection agencies have spent the best part of the last year harmonising their approaches and closing legacy investigations from the pre-GDPR era.

A new approach to customer data protection

From a technology perspective, organisations have become far more diligent when it comes to ensuring they have a clear understanding of how their data is being stored. Technology partners such as data centres and cloud service providers have become subject matter experts that have been able to elevate the conversation around data protection from something the guys in the basement did, to a board-level issue.

The need to manage data in a more efficient way and to put in place processes that comply with the overall GDPR regulation has also resulted in growing adoption of cloud-based solutions. With cloud-based solutions making it easier to transfer the regulatory obligations and risk on to an expert third-party, many organisations are turning to the cloud to mitigate any potential risks. This is likely to drive future growth of the cloud industry.

GDPR as a starting point

One of the most unexpected results of the GDPR has been the opportunity it presented organisations to reassure customers and end users about how their data was being processed. Being able to demonstrate that systems and infrastructure meet the technical and organisational requirements to support GDPR compliance is good business practice, and meaningful to customers.

With customers paying more attention to how data is used – and ready to discontinue relationships if their requirements are not met, organisations cannot afford to take any chances. However, being GDPR-compliant alone will not keep customers onboard. Especially when you consider that every organisation will be GDPR-compliant as a starting point.

With GDPR-compliance as the standard, it is safe to assume that customer demand for improved data practices will continue to increase.

One year on, what next?

As consumers and end users get used to the new normal created by GDPR, organisations will have to be on their toes to make sure they are constantly delivering against these expectations. The high standards and accountability that customers are now used to means organisations must invest in infrastructure that is able to easily facilitate these demands now and in the future.

Lorenzo Giuntini, Head of Engineering, Aruba S.p.A.
Image source: Shutterstock/Wright Studio