GDPR: How will it change over the next few quarters?

Over the past year or so, the countdown to GDPR has been front and centre, with most, if not all, organisations implementing strategies to ensure compliance come 25th May. That deadline has now passed, and there is a general assumption and expectation that all the points on a company’s GDPR checklist are ticked.

While for many, achieving compliance has been a monumental undertaking, it’s not a reason to take the foot off the gas. In fact, probably quite the opposite. Consider for a moment data is being created, replicated and consumed to such an extent that market research firm IDC estimates that by 2020, the digital universe will reach 40 zettabytes (ZB). That is 40 trillion GB of data, or 5,200 GB of data for every person on earth. Additionally, IDC’s Digital Universe Study found that machine-generated data is a key driver in the growth of the world’s data.

With technology shaping modern business and driving data proliferation, can data protection processes keep pace with the rapid growth? What will GDPR look like in three, six, or 12 months’ time? We found out the predictions from experts in the GDPR space.

Three months

Clarity and a focus on data

Nigel Tozer, GDPR Specialist, Commvault

In the months following GDPR we’ll see some clarity and guidance from regulators around exactly what needs to change within organisations in order to be compliant. At the same time, the myth that GDPR is ‘like Y2K’ will be debunked. Before the end of the year – if not by the end of the summer – a high-profile company or two will experience a breach and thereby fall foul of the regulation. However, the legendary fines are unlikely to materialise unless there are some truly shocking lapses in data protection practices.

Businesses need to ensure that they keep the focus on GDPR, data and how it’s managed – it is not a one-off event. Not knowing what data that you have or its location is not an acceptable position to be in, and will expose your business to potential penalties or reputation damage further down the line. Personal data has to be looked after in a pragmatic and suitable manner, which relies on enablement, process and cultural change within the organisation, as well as technology, to make it happen.

Ongoing training for GDPR

Steve Wainwright, Managing Director EMEA, Skillsoft

With GDPR now in force, businesses face a broader range of legal, financial and reputation risks associated with falling foul of the regulation. Ongoing compliance training will ensure employees are aware of the new rules on personal data management, while also increasing accountability throughout the organisation. Training helps employees stay mindful of potential compliance impacts when making decisions, particularly those involving the handling of data. A one off training session won’t be enough; companies will need to introduce a comprehensive, ongoing training strategy to address GDPR.

Six months

GDPR and Cybersecurity

Stephen Gailey, Solutions Architect, Exabeam

On balance, GDPR is a very good starting point, however, there is certainly work to be done and additional clarification needed in some areas. The area causing most concern at the moment is monitoring the security of one’s own enterprise.

Some signs are emerging that large organisations have been looking for ways around GDPR. This is hardly surprising, as some of these organisations’ entire business model is predicated on selling or manipulating consumer data. One sign that organisations are prepared to put data at risk – rather than shouldering the burden of protecting customers – is the trend towards sending more and more unencrypted data back to the browser to be presented upon each new session. This means the organisation does not hold the data, and allows them to get permission from the user in one neat “we use cookies” message!

The summary is that if an organisation is doing the right thing – for the benefit of users – and taking steps to protect its data, it should be OK. With any new legislation there will be a period where things are tested, so expect some interesting public law suits or disputes. But once the dust has cleared, I think it will be a better, safer place for your data.

Firms will get their GDPR ducks in a row

Luke Brown, VP EMEA, WinMagic

As time goes on, and the impact of complying with these new regulations becomes better understood we’ll see companies placing ever tighter restrictions on who can access their data, where they can access it from and what they plan to do with it.  In the next six months we’ll see a groundswell of organisations frantically bolstering existing data-centric security policies to ensure they will pass muster should the ICO come calling.  Some companies are prepared today.  Many more are not.

Fast forward to the Autumn and it’s fair to expect that more companies will have their GDPR ducks in a row.  I suspect that we’ll also see the first breach too.  If the victims of that breach are customers / partners / employees of an organisation that’s made the sensible decision to encrypt its data – there’s no harm done.  If, however, they’re one of the ones that chose not to encrypt their data, the net result in terms of reputational damage and financial penalty could sink them.

Twelve months

RegTech will boom post-GDPR

Tom Harwood, Chief Product Officer and Co-Founder, Aeriandi

Regulatory Tech – or RegTech as it’s more commonly known – is a term created by the Financial Conduct Authority. Essentially it is about developing technology that can help financial firms to better comply with regulations. GDPR has serious teeth in terms of the changes that organisations need to make, and the financial penalties should they fail to comply.

“A great example of where RegTech is already helping address compliance challenges is in the voice space. Just imagine how much personal data is held within call recordings. These are ubiquitous; many companies across a range of sectors store data. With GDPR offering customers new rights to access, view and delete this data, how can companies ensure they can offer this capability? How will they even know what data they hold? A technology approach to the problem is the only way many organisations will be able to address these challenges effectively. That’s why, for me, RegTech will be a winner post-GDPR.

DevSecOps will become increasingly important

Marianne Calder, VP& MD EMEA, Puppet

Now that GDPR has officially come into effect, we expect large European enterprises will continue to make changes over the next 3, 6 and 12 months. One thing we anticipate seeing far more of is the adoption of DevSecOps practices to enable teams to have the right visibility, security and compliance needs for the future. Automation in this area helps to prevent human error in access protocols, and streamlines this time-consuming task. This will be critical for maintaining compliance on an on-going basis from now into the future.

While the 25th May compliance deadline may have passed, it seems that the journey for many companies is still ongoing. As we see the first fines get issued, and consumers taking more interest in how their personal data is being used, it is clear there will be significant changes in the next few months, in terms of business practices, training and technology to help address the regulation. While the specifics of these changes may still be up for debate, it is clear that businesses are on a path towards stringent compliance and a new approach to data protection.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/