As we mark five years since the introduction of the GDPR, we look at how it has impacted those who do the work which it has affected the most. Dan Raywood talks to five people doing different roles around cybersecurity to understand the overall impact on their work.

Jon Baines, DPO, Mishcon de Reya

How do you feel the GDPR impacted your role from day to day in the last five years?

The thing that many people miss about GDPR is that it didn’t change the existing law that much – most of the definitions, principles, obligations and rights already existed under the 1995 Data Protection Directive (implemented in the UK by the Data Protection Act 1998. What did change was the focus. That was for two main connected reasons: 1) the enforcement scheme under GDPR massively ramped up the potential maximum fines – in the UK, the previous maximum had been £500,000, and now it had become €20m or 4% of global annual turnover, and in some EU countries their prior laws hadn’t even allowed for fines at all; 2) GDPR gained massive publicity (with the support of significant EU funding) which led to data protection becoming a boardroom topic, which it had rarely if ever been before.

The consequence for someone like me, acting as an advisor, is that my services were called on in a way and with a frequency I’d never seen before. When you add on the complexities that Brexit then brought, with the retention of the GDPR as the “UK GDPR” but a whole new domestic regime to consider, the last five years have been hectic and challenging (but massively interesting!)

Obviously, it created the DPO role. What about Subject Access Requests, is that external part of your role as crucial as overall internal data protection internally?

DPOs existed before GDPR. But you are right that GDPR put them on a statutory footing. Similarly, SARs were not something new, and they had had statutory status in the UK since 1984(!), and DPOs and lawyers were already well-used to dealing with them, but, for the reasons given in the first answer, SARs became much more known after GDPR came in.

Furthermore, organisations were no longer allowed to charge the small fee they had previously been able to. Numbers received have generally increased for most organisations, and complaints to the Information Commissioner about them have also done so.

As someone who advises external corporate clients on responding to them but also advises individuals on how to make them, I know how challenging they can be to deal with, how helpful they can be for those making them, but also how frustrating and costly the process can be for both sides. They are not going away – the current Data Protection and Digital Information Bill will retain them, with likely minor amendments – and they should now be seen as part of the regular business of most if not all, organisations, as well as a valuable tool for individuals when seeking to assert their rights.

Bronwyn Boyle, former CISO and cybersecurity specialist in financial services

How do you feel the GDPR impacted your role from day to day in the last five years?

While security was often historically perceived as a tech issue, GDPR acted as a catalyst to break down silos and drive a more holistic and collaborative approach to security. It raised the profile of security, with Boards and C-Suites rightly demanding transparent insight into the ongoing performance of security controls and management of related risks.

Many of us in the security community were delighted to see a clear shift in dynamics. Instead of fighting to get messages heard, CISOs were invited to take a seat at the table and contribute to organisational strategy.

How much did this data protection and user privacy regulation affect overall information security?

GDPR has provided a fantastic opportunity to deepen collaboration and improve mutual understanding across organisations. Business and security teams continue to work closely and ensure personal data is safeguarded throughout its lifecycle. It’s great to see how GDPR can act as a shared framework to bring together the many different teams that touch personal data at various points. I’m delighted to see how GDPR has driven lasting change in improving cross-functional collaboration.

GDPR has acted as a cultural pivot point: employees and end users alike became better aware of the value of their data and the need to keep it safe through secure behaviour. It also continues to drive better corporate behaviour, with companies held to account for infringing on the rights of data subjects. In the current climate of data-hungry AI experimentation and rapid adoption, this type of safeguarding is needed more than ever.

Eduardo Ustaran, global co-head of the Privacy and Cybersecurity practice, Hogan Lovells

How do you feel the GDPR impacted your role from day to day in the last five years?

After the initial tsunami of work following the implementation of the GDPR, the past five years have seen a consolidation of issues that have become the top priorities from a compliance perspective. Key efforts have been devoted to getting the basics right (from lawful grounds to transparency), addressing individuals’ rights and, of course, international data transfers.

Perhaps the most exciting part of the GDPR from a day-to-day perspective has been how to master some of its novelties, like deploying data protection impact assessments, helping DPOs with their responsibilities, and meeting the data breach notification requirements.

Do you think people understand what it is about, why it was introduced, and what it achieves?

People definitely acknowledge that GDPR makes data protection real. Everybody knows about it and talks about it, although whether everyone understands the nuances and complexities of the law is a different matter. With its international recognition, this has been the greatest success of the GDPR.

When you have risk-based regulation, it is challenging to clearly understand what that regulation does because the same obligations apply in different ways depending on the circumstances. Above all, there is a pretty universal recognition that the GDPR is about handling personal information responsibly and that it does not get in the way of developing technology or doing business.

Neil Thacker, CISO, Netskope

How do you feel the GDPR impacted your role from day to day in the last five years?

The GDPR has directly impacted my role as CISO at Netskope – but it started almost seven years ago in terms of preparing for the GDPR. Whilst many of the fundamental controls did not change drastically from the UK DPA, the importance of data protection and data governance, especially in showing maturity and reporting over that period of time, has increased.

This importance has been felt not only internally but also across third-party suppliers who are involved in processing any form of personal data. We ensure all of our suppliers meet strict requirements to ensure that they, acting as sub-processors, also meet the high standards we apply to data protection.

It’s been a very positive experience, especially as we have automated many of the tasks involved in managing suppliers, securing new data flows and protecting personal data at rest and in motion.

Dominic Vogel, Founder and Chief Strategist, Cyber.sc

Do you feel the GDPR has impacted the way you work in the last five years?

The short answer is absolutely! My work primarily focuses on SMBs in the B2B space, and it is a night and day difference in how privacy is prioritised. Any of my clients that desire to have a presence in Europe automatically build with privacy in mind; even organisations that don’t have any business in Europe may be selling to organisations that do, and as a result of how GDPR has intertwined in broader supply chain due diligence, these organisations find themselves needing to prove GDPR compliance.

Has there been an understanding of what the GDPR aimed to achieve from outside Europe?

To a degree, understanding certainly varies by sector: there are SMBs now that have solid privacy programs in place and integrate privacy by design. That wasn’t the case before. GDPR kicked off a more meaningful era of privacy discussions here in North America. As a result, we are seeing more improved and modernised privacy legislation and laws.

Some speculation is that other regulations could be created to replicate the GDPR. Do you see any direct evidence of that happening?

I wouldn’t say that I’ve seen any “direct evidence”, but as technology is rapidly changing and evolving (AI anyone?), there is a need to keep privacy laws like GDPR current and updated. We can no longer write privacy laws that can remain unchanged for decades. They will need to be more agile and refreshed more often to keep pace with technology.

Final Thoughts

Reflecting on the impact of GDPR, it is clear that this regulation has brought about transformative changes in data protection practices worldwide. GDPR has empowered individuals, set higher standards, and fostered a global privacy and data security dialogue.

The harmonisation of data protection laws across EU member states has been a significant achievement, providing a unified framework for businesses and privacy professionals. It simplifies compliance efforts and ensures consistent standards across borders and for companies. This harmonisation should serve as a model for further standardisation, improving enforcement, and enabling better understanding and application of regulations.

With over 140 data privacy regulations now operating globally, however, there is little harmonisation for businesses that must comply or demonstrate compliance with these many varying regional and country-specific regulations outside that of the GDPR. Over the next five years, managing compliance complexity will be an ongoing challenge.

While compliance challenges may seem daunting, it is essential to recognise the value of effective compliance management software. Robust implementation of compliance software streamlines processes, eliminates repetitive tasks, and enables organisations to focus on specific compliance divergences. By leveraging compliance software, businesses can save valuable time and resources, enhance internal efficiency, and provide regulators with evidence of compliance.

In the week that Meta received a $1.2 billion fine for GDPR infringements, it is a timely reminder for organisations to prioritise compliance. It also sends a clear message – get your house in order! Organisations that execute this well will unlock benefits far beyond regulatory compliance. Good infosec is good business.