Ongoing Evolution of the GDPR - Impact on Business Part 1

It’s been effective for just over five years, and there is no doubt that the General Data Protection Regulation (GDPR), set by the European Union and seen as the benchmark for data privacy, has been challenging, and even costly, for businesses in many ways.  In this article, we look at the developments in GDPR since its implementation, the benefits of compliance and challenges faced by businesses. In Part 2, we look at landmark cases where significant fines were imposed for non-compliance and planned amendments to the Regulation which you should be aware of. 

Covered in this Article

The Purpose of the GDPR 
Benefits of GDPR Compliance
Challenges experienced by businesses in dealing with GDPR 

The Purpose of the GDPR

The purpose of the GDPR is to enhance the protection of personal data while promoting the responsible and secure processing of personal data in the European Union. This Regulation provides a legal framework for keeping EU citizens' personal data secure by requiring companies to have robust processes in place for handling and storing personal information. Its main objectives are to: 

• Enforce fair and lawful processing of information
• Establish a purpose limitation on personal data usage, and
• Ensure data minimisation and data retention.

Benefits of GDPR Compliance

Although the penalties for non-compliance with the GDPR are severe, this risk can be actively managed, to ensure that the business also reaps the benefits of adopting, implementing, and monitoring compliance with the Regulation. Some of the benefits include: 

• Enhanced cybersecurity: By implementing the rigorous security measures required when dealing with personal information, you can improve the overall health of your data protection workflows and help reduce the risk of cyber-attacks through ransomware, phishing, malware, and similar means. Consider the following:

  • Between November 2021 and October 2022, almost 16 000 cybercrime incidents were detected worldwide, the majority of which affected the public sector (3 270 cases), information services sector (2 105 cases), financial sector (1 829 cases), manufacturing sector (1 814 cases) and professional services sector (1 396 cases). 

  • Based on a survey of risk management experts in 2022, cyber incidents were listed as the leading risk for 2023 - evidenced by the average cost of a data breach in the US reaching a record high of US$ 4.45 million.  

  • The 2023 survey by Statista among Chief Information Security Officers (CISO) worldwide reflected that seven in ten entities worldwide are at risk of a significant cyber attack in the following 12 months (an increase of 20% over the prior year).
• Improved data management: Knowing what sensitive information you do have, how you have collected it, and how you are storing it, will help you to refine your data management processes. This can easily be achieved through a proper data management process.  

• • Customer data tends to be dirty, easily fabricated, and often contains multiple data entry mistakes. It decays quickly and requires constant updating to help you make informed decisions. 

  • Clean customer data provides useful information that leads to smoother customer communication, improved customer experiences, increased business productivity and revenue, and enhanced data analysis for strategising and decision-making.

  • Overall, improved data management can help you enhance your trust relationships with your customers.

• Improved Return on Investment: Implementing an opt-in policy and maintaining evidence of the data subject's consent to process their personal data can help you streamline your database of leads, prospects, and clients who actually want to engage with you.

• Promoting trust and loyalty: To ensure that you are GDPR compliant, you will need to clearly state what, why, and how you will be using people's personal information. By following the rules, your business can demonstrate transparency, responsibility, and accountability, which can improve trust and loyalty with your target audience. Ultimately, this can go a long way to enhancing your brand reputation. 

Challenges experienced by businesses in dealing with GDPR 

Maintaining compliance with the ever-evolving legislative requirements and regulations has been a complex task for many businesses - even more so for those operating across different jurisdictions. Some of the key challenges businesses have been dealing with include: 

• Understanding the Regulation: Given the complexity of the GDPR, obtaining an in-depth understanding of its full scope and how it applies to a particular business can be daunting, especially for small and medium-sized enterprises (SMEs) that have limited resources when it comes to managing legal risks. 
• Data Mapping and Classification: The foundation toward GDPR compliance is identifying and classifying personal data within an organisation's systems. This process is time-consuming and requires a clear understanding of what constitutes personal data under the regulation.
• Consent Management: Obtaining and managing consent for data processing is a core requirement of the GDPR. Implementing mechanisms to obtain explicit consent and maintaining evidence of such consent can be challenging, especially where the business deals with large volumes of data subjects.
• Cross-Border Data Transfers: If your business operates globally, there are a variety of complex rules to be navigated around the transfer of personal data across borders. Ensuring compliance with these rules requires a deep understanding of both the GDPR and other international data protection laws.
• Data Security: Implementing appropriate security measures to protect personal data is a key requirement of the GDPR. Determining what measures are "appropriate" for your business can be a complex task that requires an in-depth risk assessment.
• Data Subject Rights: Under the GDPR individuals have several rights concerning their personal data, including the right to access, correct, and delete their data. Implementing processes to respect these rights in a timely manner can be a significant operational challenge.
• Compliance Costs: Compliance with the GDPR can be expensive, particularly for SMEs. Legal fees, technology investments, staff training, and ongoing compliance monitoring all add up at the end of the day. You need to, however, weigh the cost of compliance vs the cost of non-compliance - the latter of which could be much higher. We explore this in more depth in Part 2 of this article.
• Coordination with Third Parties: Many businesses rely on third-party vendors to process personal data. Ensuring that these vendors comply with the GDPR requires careful contract negotiation and ongoing monitoring, adding another layer of complexity to compliance efforts.
• Regulatory Uncertainty: As with many other laws and regulations, the GDPR is subject to change and interpretation by various regulatory bodies. This evolving landscape can create uncertainty and make long-term compliance planning more difficult.
• Enforcement and Penalties: The potential for significant fines and other penalties for non-compliance adds pressure to businesses. Understanding how regulators are likely to enforce the rules and what constitutes a violation can also be challenging.

In Part 2 of this blog, we look at how costly non-compliance with the GDPR has been for some companies during the past five years, and what we can expect in terms of amendments to the regulations going forward.