Businesses beat regulators at upholding principles of GDPR

In May 2018, the EU introduced what is now viewed as the gold standard of data protection regulations, the GDPR. Since then, organisations around the world have been fined millions of euros for failing to protect the data of staff and customers. At the same time every EU citizen has been empowered to request what information is held about them and even have it deleted.

As a result of GDPR, businesses have put in place processes to keep data secure and locate it more easily in order to deal with Data Subject Access Requests (DSAR). Both of these outcomes can only be good news for consumers.

In a world where personal data is traded as any other commodity other legislatures are now enacting their own versions, most notably the California Consumer Privacy Act (CCPA) in California, in hopes of emulating this success. 

However, the success of GDPR is being endangered by inconsistent application of penalties by regulators, particularly since the start of the recent global pandemic. A notable example is the decision to delay fines against British Airways and Marriott for their GDPR breaches. 

Against this background, three data protection experts give their views of GDPR as its second anniversary is marked.


  • Darren Wray, co-found and CTO at Guardum:


“Since its inception two years’ ago, the GDPR has successfully changed how people view data protection and set the standard for privacy of personally identifiable information not just in the EU but also around the world. It paved the way for international regulations such as the CCPA in California and Brazil’s Lei Geral de Proteção de Dados (LGPD) which are both heavily influenced by the GDPR. In fact, data protection laws are now being passed in places such as South Africa which has its POPI (South Africa’s Protection of Personal Information Act) and Japan has also amended its data privacy laws. 

These regulations are helping companies around the globe understand the real risk of data and recommending the best practices to help protect it. Companies that embrace these regulations are protecting themselves and their customer’s data. At the same time they are able to maintain compliance with GDPR and other national and international data protection and cyber security laws.

The world is a changed place and that needs to be reflected in a company’s data retention policies and practices. Customer’s expect companies who they entrust with their data to have processes that ensure their data is safe and secure. In short GDPR, CCPA and similar regulations around the world set customer’s expectation for how their data should be treated and set the bar for how organisations should collect and process personal information. A failure to comply can, of course, become a regulatory issue, but in many cases, it may well become a commercial issue before that, as data privacy has become an ethical and governance hygiene indicator.”

  • Matt Lock, Technical Director UK at data security firm Varonis:

“Many companies took the GDPR seriously and made great progress ramping up their data protection measures. Reports that the ICO isn’t taking forward any cases and delaying current ones sends the message that regulators have pressed pause for the time being. 

 There isn’t time to lose — the public needs to know safeguards will remain firmly in place and that companies that stray from GDPR requirements will be held accountable. Especially at this time when personal data is being shared and processed in efforts to manage the pandemic. It may be tempting to bend the rules now, but industry and regulators can’t turn the clock back.

It’s reasonable to expect some lag time as regulators and companies re-assess their priorities during the COVID crisis. Ignoring data protection in the short term only opens the door to long term issues. 

The pandemic forced companies to get their teams up and running remotely. In the rush to remote work, many organisations eased access and normal safeguards to ensure everything could remain business-as-usual. In doing so, they widened the attack surface. No doubt, there are companies that have been compromised and simply don’t know it yet. In the weeks and months ahead, expect to see a slew of disclosures to the ICO.  

Companies and regulators must prepare for an upcoming wave of targeted cybercrime. Attackers typically encrypt data and hold it for ransom. In the months and years ahead, sophisticated attackers will go after valuable “big game” targets and quietly steal important information before they encrypt it. Victim organisations will be forced to pay twice – once to get their data back and again to pay off the attackers out of fear that their biggest corporate secrets will be spilled.”

  • Grant Geyer, Chief Product Officer of Claroty:

“Just as important as the principles the regulation stands for, the European Union’s global enforcement of blatant and wilful violations of the rights of European citizens to have their personal data safeguarded has raised its prominence to the gold standard of data protection regulations worldwide. In today’s global economy, GDPR has swiftly created a replicable regulatory blueprint that represents a win for citizens to maintain ownership over their personal data. That’s a sacred right in a digital economy where for many years personal data has been abused and monetised without awareness, consent, or recourse.”

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.