Obrela Security Industries | GDPR – is it time to change?

In acknowledgment of the GDPR anniversary (25th May), Yiannis Fragkoulopoulos, Buyer Safety Director at Obrela Security Industries, assesses the current use of GDPR as well as the challenges it poses for businesses of all size, regardless of geographic location. 

GDPR has come under some scrutiny in the past few years since its implementation. In theory the General Data Protection Regulation is designed to imbue users in today’s fast-moving and data driven economy with more power and insight into the processing of their personal data. However, despite the positive intentions, GDPR is by no means a polished form of regulation. The news that the UK is technically no longer part of the EU scheme after withdrawing from the European bloc has left many reeling.

However, despite the positive steps that GDPR presents, such as enhancing individuals’ rights over their personal data and simplifying the regulatory requirements for international business being conducted within the European Union, GDPR has several flaws that at best present glaring errors, and at worst can put consumer rights in danger. Throughout this article we will be discussing and delineating the many shortfalls of the EU’s GDPR and how these could be rectified in order to provide greater visibility into the inner workings of data processing and protection.

What does not work about GDPR?

GDPR presents issues for both organisations and consumers. On the higher level, some businesses have been struggling with data retention issues as organisations have policies and processes in place to dictate timeframes for all the data they process, but the question arises: how efficient are they really? Furthermore, how can you achieve data retention technically, when you need to keep backups for business continuity reasons? This complicates the data storage issue, especially in fast moving and hybrid work environments.

While GDPR was implemented to imbue consumers with more power over the handling of their data, in reality customers have limited to no visibility at all as to where their data are stored and transferred, especially in the age of cloud technologies. The vast majority of organisations are struggling to implement processes and technology for supporting data subject rights provisioned by GDPR, despite this being one of the inspirations behind the implementation of the regulation.

The challenges presented by GDPR

GDPR poses several hurdles for organisations of all sizes, from enterprise to small and medium businesses (SMBs), this regulation can often act as more of a hurdle than meaningful data security. For small businesses, who may be struggling to process large amounts of business-critical information, GDPR can present many challenges. For those businesses processing personal and sensitive data as well as corporate secrets, they may be hindered by limited technological capabilities due to an understaffed workforce.

This has become an increasingly difficult challenge for smaller businesses to attract talented cybersecurity and data security professionals as the global skills shortage worsens. This can make it incredibly difficult for smaller businesses to limit the flow of data and safeguard data, particularly within overlapping teams. Another frequent challenge that small businesses face when adhering to GDPR is that they often do not have the required support or resources from their board or leadership team. It can be difficult to devote one person’s role to data protection officer (DPO), despite the fact that this is a crucial aspect of data security. This leaves glaring gaps or can spark conflicts between internal departments, and collaboration with third party management is a solution that does not always provide good return on investment.

On the other hand, even large businesses with devoted data security teams and budgets face challenges while achieving GDPR compliance. For groups of companies that operate within sprawling networks of data, it has become increasingly difficult to isolate data, systems and critical information that has been processed, particularly if it is frequently moving between departments.

To make matters worse, much of the available applications and software were built in the pre-GDPR era meaning that even expensive systems do not ensure full compliance. Examples of these legacy technologies and software include encryption, anonymisation, and masking. However, the biggest challenge for large business is to continue conducting business while using cloud technologies, because data, IoT and wearables devices, and the innovation of biometric controls, and geolocation data have made it very difficult for data to be quantified, never mind secured.

What can make GDPR better?

For some time, critics have suggested that a scaled data privacy regulation would be more effective in terms of GDPR. In simple terms, this would mean a smaller organisation would have a different level of compliance requirement than a large business, like Facebook. However, this would only lead to a more complex regulatory environment full of confusion for all parties, particularly considering which group each organisation belongs. Instead, the compliance requirement should be analysed and authorities need to provide guidance on each of them (e.g. the extensive list of work parties, workshops and guidelines published on DPIA).

In the future, when working on the new UK data protection regulation, there are issues with the current GDPR that must be addressed. Firstly, the data transfer of EU and UK citizens between each bloc should be streamlined and simplified. It should also be noted that organisations based in the UK or EU should be clearly informed as to how they are expected to adhere to an ever-growing list of regulations. This should come from the top down as the government should open a dialogue between those processing data and consumers to ensure that each party is properly prioritised.

Many organisations in the UK are already compliant with GDPR, so any changes or alterations to the regulation could only result in confusion and perhaps even more lost data. Cybercriminals notoriously prey on fear and confusion to ply their trade and only by providing as many safeguards as possible will the UK, and EU be able to protect their data and their citizens.