On May 25, 2024, the General Data Protection Regulation (GDPR) marked its sixth anniversary.

Introduced by the European Union in 2018, the GDPR has been a pivotal force in shaping data privacy and security practices worldwide. This comprehensive regulation has not only heightened awareness about data protection but has also set a global benchmark for data privacy laws.

The GDPR was crafted to safeguard the fundamental rights and freedoms of individuals, with a particular emphasis on personal data protection. As digital connectivity surged, the EU Parliament recognised the urgent need for updated regulations to cope with a world where data has become an invaluable currency. Thus, the GDPR was brought into being, replacing the 1995 Data Protection Directive and introducing stricter, more relevant guidelines for the modern era.

Over the past six years, the financial repercussions of GDPR violations have been substantial. Research by Nordlayer reveals that fines totalling €4.5 billion have been levied for GDPR breaches. Spain, Italy, and Germany are the top enforcers, with Spain alone accounting for 842 fines amounting to €80 million (£68.16 million) since the regulation’s inception.

Indeed, the enforcement of GDRP has been a complex and challenging journey for many organisations, forcing data practitioners to take a far more thorough, ethical and transparent approach to handling personal and sensitive information.

Despite many hurdles, the regulation continues to have an undeniable impact on enhancing individual data management and ensuring corporate accountability for data mishandling. GDPR has fundamentally transformed data management practices, underscoring the critical importance of privacy rights.

As the industry reflects on GDPR’s six-year impact, the conversation pivots to its future implications. The regulation has prompted significant advancements in data privacy, but the ongoing evolution of digital landscapes poses new challenges and opportunities. What remains clear is that GDPR’s influence will continue to resonate, driving the global agenda for data protection and privacy.

“We’ve witnessed businesses across industries change their data handling practices and invest in security measures to achieve compliance,” said Carlos Salas, cyber security expert at NordLayer.

“While full compliance has been challenging for many companies, the GDPR’s impact in empowering individuals and holding organisations accountable for data mishandling cannot be overstated. It has reshaped the digital landscape, forcing a much-needed prioritisation of privacy rights,” he adds.

As reported by Verdict, Senior VP EMEA at SailPoint, Steve Bradford asserts that businesses should keep leaning forwards in their compliance efforts in order to mitigate risk.

“In the six years since GDPR’s launch, the cyber landscape has evolved at breakneck speed…from targeted social engineering to the rise of deep-fakes, cyber criminals are using increasingly sophisticated tactics to steal sensitive information.”

“GDPR paved the way for the increased importance of regulation to help companies protect their data. But to keep on top of evolving threats, organisations need to be on the front foot,” he says.

Compliance in the AI era

As organisations worldwide embrace generative AI and other emerging technologies, meeting regulatory demands remains an essential and pivotal issue. With the European Union (EU) AI Act on the horizon, businesses face new layers of complexity to compliance journeys.

But there are lessons that can be taken from our experiences with GDPR, as Director of Legal at Considerati, Bram Hoovers explains to GRC World Forums:

“The GDPR, compared to the privacy directive, emphasizes not just compliance but also the ability to prove it, which entails extensive documentation.

“This includes policies, document management systems, and data governance, necessitating significant paperwork. Clearly defined roles and responsibilities are crucial, ensuring accountability. Without coherent policies, training efforts lack direction, akin to building a house without a foundation.

“Similarly, the AI Act, spanning around 500 pages, mandates robust data governance, risk management, monitoring and complaint procedures. Implementing these procedures post-mapping is needed to avoid pitfalls.

“Further pitfalls lie in starting AI projects without established procedures and delineated roles. Even more than privacy regulations, the AI Act involves various stakeholders, including data scientists, developers and legal, necessitating alignment across departments.

“This complexity makes it all the more important to have cohesive collaboration within organisations, bridging legal, business, and technical domains for effective AI governance.”

Know the risks

Compliance in the age of AI will demand new levels of data governance and management, especially as businesses bid to innovate while handling data in a way that satisfies evolving legal standards. The theme is central to debate this October at #RISK London.

#RISK London 2024

We’re excited to share that #RISK is back in London for its third consecutive year, ready to equip attendees like you with the knowledge, insights, and connections crucial for navigating today’s dynamic risk landscape.

#RISK London 2024, ExCel

#RISK London 2024, 9-10 October, ExCel - GRC. AI. Privacy. Security. RegTech

Key #RISK London sessions include:

Decoding the Data Maze: Understanding Privacy Regulations in a Globalised World Beyond Compliance: Building a Culture of Privacy by Design

Location: PrivSec Theatre

This session will delve into the concept of “Privacy by Design,” a proactive approach that integrates privacy considerations into every stage of product development and data processing.

Experts will explore strategies for fostering a culture of privacy within organisations, from employee awareness training to implementing data minimisation practices.

RegTech for KYC/AML: Navigating the Evolving Compliance Landscape

Location: RegTech Theatre

KYC/AML compliance is a constantly evolving challenge for organisations operating in regulated industries.

This session will delve into the ways RegTech is revolutionising KYC/AML processes, enabling organisations to automate customer onboarding, enhance due diligence, and strengthen risk monitoring.

Learn how innovative solutions are streamlining compliance, reducing operational costs, and improving the customer experience.

Discover the latest regulatory requirements for KYC/AML compliance and explore how RegTech can help your organisation stay ahead of the curve.

Obtain valuable insights into emerging trends and challenges in RegTech for KYC/AML, and discover practical solutions for optimising your compliance efforts while mitigating risk.

These are just two of the exclusive sessions taking place at #RISK London this October

Click here to see the full agenda

Discover more at #RISK London

Taking place October 9 and 10 at London’s ExCel, #RISK London brings high-profile subject-matter experts together for a series of keynotes, engaging panel debates and presentations across four separate theatres:

• GRC Theatre

• RegTech Theatre

• PrivSec Theatre

• Risk Theatre 

Each theatre is dedicated to examining the challenges and opportunities that businesses face in times of unprecedented change.

By breaking down silos and aligning systems and workflows, organisations can streamline decision-making, improve efficiencies, and enhance the customer experience.

Attendees will be able to learn how to mitigate risks, reduce compliance breaches, and drive performance.

“#RISK is such an important event as it looks at the broad perspective. Risks are now more interconnected and the risk environment is bigger than ever before.”Michael Rasmussen, GRC Analyst & Pundit, GRC 20/20 Research

Click here to register for #RISK London today!