GDPR has reshaped the business world and the change is not over yet

Editor's Note: This article was originally published on www.digitaljournal.com.

GDPR has been in force for around five years. The regulation has helped to protect the rights of many, although not everyone’s needs have been met. From the business perspective, the regulation has presented both opportunities and threats.

Two business experts tell Digital Journal what these challenges are and what the future holds for privacy regulation.

According to Paul Trulove, CEO of SecureAuth the regulation needs to be made more robust and extend further into cyberspace. Trulove notes: “Consumer privacy has been a huge concern since the dawn of the Internet. Aside from the obvious security concerns, people started to realize that their personal information was a commodity that was being monetized and exploited by large corporations (sometimes of dubious integrity). GDPR was the first truly wide-reaching attempt to codify and enforce consumers’ (and employees’) rights to privacy.”

It is a case that GDPR needs some updating to meet the requirements of the digital age. Trulove spells this put: “When it launched, most companies were scratching their heads about how to comply – or even if they needed to comply. GDPR was seen as a significant barrier to doing business in the European Union, the United Kingdom, and other geographies that had adopted GDPR-style legislation.”

This is not to infer that GDPR has not been impactful: “However, over the last few years, GDPR has become a standard – and has changed the way companies talk about privacy. Impacting everything from policy and legal considerations to product design to operational processes. Thanks to GDPR, consumer and employee privacy protections have been normalized throughout the global corporate world.”

In terms of technologies that can support GDPR, Trulove calls out: “Two factor authentication is not required but preferred for accessing systems that process personal data, per the guideline issued by ENISA — the European Union Agency for Network and Information Security — which advises member states and private sector organizations in implementing EU legislation. However, given the current state of multi factor authentication which can be easily breached, we highly recommend that the organization should leapfrog and move toward a tighter authentication with invisible MFA and eliminate passwords.”

The second expert shedding light on GDPR is Alastair Parr, SVP of Global Products & Delivery, Prevalent Inc.

Parr looks at the expansive requirements within the business sector: “As it celebrates its fifth year driving positive change, GDPR continues to impact the practice of third-party management with its treatment of privacy as a core requirement. To this end, privacy teams are operating in lockstep with procurement and information security teams, ensuring that GDPR obligations are specified and tracked throughout the third-party lifecycle. Accordingly, we expect businesses to become better at tracking non-conformities within their extended enterprises.”

Parr also notes the international of the GDPR philosophy, a trend that looms set to continue: “As well, we see that organizations are beginning to see data privacy obligations as a global expectation, not just a requirement of their EU operations. For example, CCPA, the DPA 2018, and PIPEDA all bear a strong similarity to GDPR, reinforcing the perception that it set the precedent for what good data protection practice looks like for consumers and businesses alike.”