We are now almost four years on since the GDPR was first introduced. At the time, it was cited to be one of the most profound changes to data protection laws globally, holding organisations directly accountable for the information they store, process and share. It was essentially one of the biggest changes we have seen since the 1998 Data Protection Act, and businesses all looked at how they could comply to avoid hefty fines.
However, in the world of technology, a lot can change within such a timeframe. Over the past two years, we have found ourselves amidst a global pandemic, something that no one could have predicted, but also something that has changed the way we work. We are now in the eye of a digital revolution that is bringing far-reaching change to our behaviours, our organisations, and our ways of life. The pandemic without a doubt marked a turning point in how businesses operate and laid bare our dependence on digital technology. But what does this mean for cybersecurity, how effective is the GDPR and how can European governments and IT leaders alike maintain digital sovereignty in the new global digital world?
Firstly, it is important to note that anything aiming to improve security and ensure more visibility and accountability when it comes to data is only a good thing, and a step in the right direction. We have seen companies around the world implement the controls necessary to comply, and we have seen enforcement actions start to come to light against companies that haven’t.
For many organisations, complying with the GDPR has forced them to take a hard look at their internal processes, with new ways of thinking and acting. For businesses, implementing a good cybersecurity strategy that puts data protection at its core is a must. One of the main accomplishments of the GDPR legislation is that businesses can no longer delay data protection. It has also brought more general awareness to just how valuable and critical data is. All of this together ensures a tighter data protection approach as we move forward.
In addition, the GDPR framework goes far beyond the realm of just privacy alone. It impacts many more aspects of IT and security such as data management, data protection, software development, and system administration. Ensuring data protection is now virtually everyone’s business, from backup and archiving to cloud migration and moving data to another area of the organisation. Everyone who handles sensitive information must do so with the utmost care.
One of the challenges this brings is that the GDPR legislation can often be seen as complex, confusing and challenging to implement. In addition, we are now faced with a new sea of change, brought on by businesses that rapidly digitalised their initiatives amidst the pandemic. We face new user behaviours, a remote working culture, and a tech-savvy generation which all bring new benefits but with it also challenges when it comes to digital businesses and data protection. The pandemic clearly showed that the GDPR is no longer suitable for all eventualities and situations, as the trend toward remote work increasingly blurs the boundaries between private and professional. It is becoming even clearer that regulations are unable to keep pace with today’s rapid innovation cycles. The challenge we have long had even before the GDPR was introduced is that legislation often comes afterwards. Technology advances at a rapid pace, but it can take months or even years to build out a policy or framework and pass it through to law, by which time it comes to fruition only when we are already facing a new challenge.
Data security must be practical, easy to understand and implement if we want businesses to thrive, remain agile but also have data protection at their core. After all, we don’t want global organisations to move away from working with European businesses and partners because they worry that complying with the GDPR will be too problematic. Data protection is and always should be considered a good thing to achieve.
Here, we need to look at data protection as working hand in hand with businesses to achieve their goals, rather than as a trade-off. After all, no business wants a data breach. However, we will get nowhere if we only focus blindly on solutions offering maximum data protection, without considering user experience and other just as important factors.
The good news is that there are solutions that support innovation and agile business models without jeopardising individual privacy, and they are continuously striving to deliver stronger, better solutions to the evolving ecosystem. The GDPR legislation was certainly groundbreaking in many aspects, and it created a global model mandating security. As we move forward and evolve, it is something that we should continually look to evaluate. We need to create and foster a positive cybersecurity culture that organisations across the world strive to achieve.
To create a truly secure digital Europe, we need to keep data security practices. This does not mean less security, but a set of principles and a culture that is easy to understand. We need to make it possible for users and companies to conform to data protection rules and security needs while remaining competitive at a global level. And we need to embrace a digital culture that turns the spotlight on the value of our data while applying pragmatic data protection and cybersecurity methods to guarantee added value, prosperity, and growth for the future.
Written by Axel Voss, Member of the European Parliament and Jean-Noël De Galzain, founder & CEO of WALLIX.