GDPR: 5 years, 5 lessons learned*
On May 25, 2018, the General Data Protection Regulation (GDPR) entered into force, representing a significant milestone in the way organizations and individuals, active or resident in the European Union, deal with information management and data privacy in professional, commercial, financial, cultural or social activities, of a collective or public nature. Five years after its implementation, this is the perfect time to reflect on the lessons learned on this journey toward compliance.
1. Awareness is the first step
Organizations have been striving to ensure that everyone understands the importance of protecting information and data privacy. From top management to team coordinators and others, it is essential that information is in everyone’s power so that efforts are made in an aligned and transversal way, whether in obtaining consent, processing and collecting data from data subjects, maintaining records and access rights, reporting incidents, among other good security practices.
2. Good information management is an asset
GDPR has accelerated the importance and urgency of proper information management within organizations around the world. Fortune Business Insights findings point to this market growing from $3.01 billion to $12.91 billion in the period 2022-2029 alone. For organizations, this investment will serve to correctly identify and classify the data that is collected and processed, understand its purpose, and ensure that it is stored securely. This requires the implementation of efficient document management systems that allow for proper control of data throughout the entire lifecycle.
3. Compliance and transparency should be embedded in business processes
When developing new products or services, it is important to consider data privacy as a key requirement. This includes conducting Data Protection Impact Assessments and, increasingly, seeking compliance-as-a-service (CaaS) services to comply with regulation and promote a proactive approach to risk management. In this regard, it is worth remembering that companies that do not take personal data protection seriously are subject to serious penalties and reputational damage – in Portugal alone, fines for violating the GDPR have already reached €500 million since 2018, the International Data Corporation (IDC) recently revealed. And because no one is above the law, international giants such as Meta, Amazon or Google have also been fined millions due to non-compliances related to transparency, sharing and obtaining consent.
4. Confidentiality and security are priorities
Companies have understood the need to implement appropriate technological and organizational measures to ensure the confidentiality, integrity, and availability of personal data (be it employee records, customer files, or supplier lists, among others). To this end, the adoption of advanced security systems such as encryption, two-factor authentication, or protection against unauthorized access, has been fundamental. All necessary measures to achieve legitimate objectives and in regulatory compliance.
5. Risk management and quality need continuous monitoring
Organizations are focusing on preventing, identifying, assessing, and mitigating data protection risks. This requires implementing robust policies and procedures, constantly training employees, creating new roles (Data Protection Officer, Chief Information Security Officer, Privacy Officer, Data Compliance Manager, etc.), and conducting internal audits to ensure the desired standards are maintained. Here, we even know that G2000 companies are preferring to adopt continuous risk assessments instead of traditional annual security audits.
As we celebrate these five years of GDPR implementation, we see the consolidation of the supervisory framework for data protection, as well as the more present and constant performance of the Portuguese data protection authority (CNPD) itself. We also see the increasing challenges (and benefits) brought by emerging technologies, such as Generative AI, in the field of information management. As a trained archivist and today responsible for a department dedicated to the development of information management systems and business processes, I know that it is possible to boost the protection of personal data and simplify compliance with the GDPR through software, and technology.
This technology allows organizations to organize their business processes in an integrated way, knowing that their data and information are in compliance with the required privacy and security standards – and also benefiting from automation of repetitive tasks, automatic generation of reports, improvement of data quality or predictive analysis for strategic decision making in areas such as ESG (environmental, social and corporate governance performance).
The GDPR is the line that separates the before and after of information management focused on people’s rights versus management focused only on business priorities. And organizations that have not yet taken the necessary leap into this transformation, put their very survival at stake, as well as their relevance, their digital maturity, the trust they establish with citizens and consumers, and the free (but secure) flow of information and opinion without which it is impossible to exist and thrive in today’s digitally interconnected world.
*This article was originally published on Observador.