GDPR five years on: successes, shortcomings and the road ahead

At a special webcast to reflect on the impact of GDPR since its implementation, PwC’s Cybersecurity and Data Privacy Partner, Pat Moran, was joined by a panel of experts to consider GDPR’s successes, shortcomings and what can be expected in the years ahead.

GDPR’s early days

When MB Donnelly, Deputy Commissioner at the DPC, casts her mind back to 2018, her overwhelming memory is of radio advertisements which suggested that the DPC was “coming for companies” from 25 May – the implementation date. “To borrow a quote, it was as though the lie got halfway around the world before the truth put its shoes on,” she said. “There was a culture of monetised fear… because there was such anticipation and anxiety about what GDPR would mean for organisations.”

In Donnelly’s view, this anxiety has lessened. “People working in this space are moving out of that state of fear, which is something we never wanted and never advocated,” she added. “Greater attention needs to be paid to the corrective measures that are applied as part of the DPC’s decisions because that’s where change is made that impacts an individual’s experience.”

GDPR ultimately set a high international benchmark for data protection and privacy and while advisors generally got the main issues for businesses right at the outset, Arthur Cox’s Colin Rooney believes that the risk-based approach to data privacy was underestimated at the time. “That has been crucial in terms of the advice we would give, and the advice clients would expect to receive, as they grapple on a day-to-day basis with GDPR compliance,” he said.

GDPR: part of a complex puzzle

The issue of data privacy has become increasingly pressing in recent years, with headlines across the world highlighting the financial penalties that await those who get it wrong. And while there are prominent areas of focus, such as marketing and HR, PwC’s Stephen O’Keeffe has seen GDPR impact on some less intuitive areas like procurement.

“GDPR was the spark that kicked off a lot of due diligence and third-party risk management we’ve helped our clients with recently,” he said. “Originally, it was a case of getting data processing agreements in place. But then, we started to kick organisations’ tyres to ensure they had the right technical and organisational measures in place. And more importantly, that they maintain them and are periodically checking in with their supply chain to ensure that they are managing data on their behalf correctly.”

GDPR has significantly impacted how companies operate and manage their data. But it is just one part of a more complex puzzle with NIS 2 and DORA, for example, being adopted. So, how can multiple regulations align to avoid duplication of effort?

The DPC is very alive to this issue, according to Donnelly. “The DPC is one of the founding members of the Irish Digital Regulators Group along with several other regulators to promote that cross-regulatory conversation and ensure greater coherence and adaptability,” she said. “We are also part of a wider conversation with digital regulators who operate outside the EEA because data does not stop at borders.”

From an operational perspective, O’Keeffe recommends that businesses adopt a holistic framework. However, he also believes that regulations will never integrate so perfectly that conflicts won’t arise. “At some point, there will be two pieces of legislation that conflict and businesses need to go into such scenarios with their eyes wide open,” he said. “You will need to make a decision, record it, and be transparent about it. If you do that with the best interest of the data subjects genuinely in mind, you will probably get to the right place and make a defensible decision.”

A holistic view of compliance

Although GDPR has bedded down in many ways, it continues to generate a high volume of activity for the regulator, for companies and for individuals. In 2022 alone, the DPC fielded over 30,000 contacts from individuals — this is entirely separate from the organisational activity the office deals with on a day-to-day basis. There were also 5,828 breach notifications, 61% of which arose from misdirected communications.

While organisations have worked hard to move away from paper-based compliance in recent years, data clearly continues to pose a challenge — particularly for mature organisations, according to O’Keeffe. “Unless you have the luxury of being a reasonably recent start-up that was cloud-native, most large organisations have challenges with legacy data,” he said. “The organisations willing to tackle this head-on do so within a holistic framework. At PwC, we refer to ours as the Data Trust Framework, which combines multiple disciplines.

“You’re not looking at this with a data protection or privacy lens; you’re looking to tie in data governance along with effective tools for data discovery so you map out and understand where your data is. And from there, you move from planning the right types of controls to securing the data, having a good grasp on where you’re sharing that data, and ultimately deleting the data once it has served its purpose and you no longer require it.”

GDPR, data privacy and artificial intelligence

Beyond the legal frameworks, businesses recognise the need for ethical and responsible data practices, reflecting a collective realisation that data protection is no longer a matter of compliance but one of competitive advantage. And as the complexities of the digital age evolve, not least with the arrival of artificial intelligence and natural language processing, GDPR will continue to play a vital role in safeguarding information and ensuring that consumers’ privacy rights are upheld.

“The first thing to say is that the AI Act is pending,” said Donnelly. “It is currently under examination by the EDPB (European Data Protection Board)... we are alive to the fact that it bears greater scrutiny and that scrutiny is underway.”

While the world is on the cusp of significant change, Rooney maintains that it is only beginning to “dip its toe” into the broad range of legal issues generated by AI. “Privacy is important, but it may not even be the most important issue concerning AI,” he said. “We do have the Italian Data Protection Authority (Garante) engagement, which some will say is not perfect. But at least we can say, ‘This is how one regulator saw this particular issue, and this is how the company responded’. One example doesn’t create a precedent for everyone to follow, but at least we have something.”

So in the absence of legislation, how can companies prepare for the AI era from a data privacy perspective? According to O’Keeffe, policies and procedures for issues like data ethics and the acceptable use of AI is the starting point. “In the absence of concrete guidance, the risk-based approach is the best place to begin as organisations think about making investments in these areas and ultimately make better use of the technology,” he said.

And at an individual level, Donnelly believes that there will be greater responsibility on individual workers in terms of how they process personal data as data privacy evolves into the future. That, she maintains, will require a new organisational mindset. “The only way [GDPR] will effectively bed in is when we approach this from a cultural basis,” she said. “That is the direction of travel, but we have a way to go.”

To view the GDPR webcast, click here