A Retrospective Of GDPR ’s First Year: What It Means for You

Ciarán Daly

May 24, 2019

6 Min Read

by Jelani Harper

SAN FRANCISCO - Deployments of artificial intelligence and data-centric practices around the world were forever changed with the European Union’s enforcement of the General Data Protection Regulation (GDPR) as of May 25, 2018.

Or were they?

In the year since the passage of perhaps the most comprehensive set of regulations determining how organizations store, share, safeguard, and surface consumer data, GDPR has quietly slipped out of headlines—but not from the data management practices of companies under its global jurisdiction.

It’s difficult to access any reputable website without notification of policies regarding cookies and collecting information, which is just one of the many changes directly stemming from GDPR. Nevertheless, it was the huge penalties associated with data breaches that caused the greatest clamor for complying with this regulation, spurring all but the most careless companies to take notice.

Research indicates that as February, 91 fines were issued due to GDPR non-compliance, despite over close to 60,000 data breaches since it took effect. These numbers indicate one of two things: either organizations complied with GDPR’s strict 72-hour notification regulations for breaches—or the EU is just getting started.

“I would compare it to a toddler and describe GDPR’s first year as a transition year, and European regulators as still a bit like indulgent parents,” DH2i CEO Don Boxley reflected.

Whether or not GDPR’s ramifications become more acute over the next 12 months is uncertain. What’s been established is there are still measures organizations must take to locate Personally Identifiable Information (PII), protect it, dispose of it, and make it available upon demand to satisfy this regulation.

“GDPR is as much about culture change as it is about a technology paradigm shift,” acknowledged Dennis Chepurnov, Hyland marketing principal. “In fact, most of the technology enabling GDPR hasn’t been anything that new in the information management market. It’s the old stuff like records management, retention, analytics, reporting, and being able to effectively manage the lifecycle of the content within the organization.”

Related: Operationalizing regulatory compliance with deep learning

Machine intelligence for compliance

Interestingly, most of the data management practices necessary for adhering to GDPR are suitably enhanced with machine intelligence. Virtually all the processes Chepurnov described begin with data capture before being intelligently routed bymachine learning applications.

According to Chepurnov, this technology is extremely influential for discerning different forms of customer data and recognizing “this is an invoice, this is a job application, or this is a resume, or this is a transcript of a student for example, and being able to intelligently identify that type.” In this use case AI initiates the lifecycle management process vital to GDPR once data is ingested in the organization.

Moreover, by extracting the necessary information from various documents or data sources, these AI techniques can actually “not only send them to the right systems, but also intelligently apply retention and security settings to that piece of data,” Chepurnov said. “If it’s a resume it needs to have HR specific security and retention; if it’s a tax record it needs to go to legal or some accountant.” By properly identifying different data types, machine learning mechanisms can begin the measures for managing data in accordance with GDPR since “helping simplify that improves the accuracy and therefore reduces risk to the organization, and ultimately to the customer whose information is being ingested,” Chepurnov mentioned.

Related: How to build, train, test and deploy a machine learning model

Cyber security and data breaches

As the ratio of GDPR fines to instances of data breach indicate, this regulation focuses on much more than cyber security concerns. The stiffest GDPR fine thus far was the approximately €50 million the French data protection authority (CNIL) assessed Google for processing personal data for advertisements without proper authorization, which isn’t related to a security lapse.

Although preventing data loss is one of the aims of this mandate to protect the consumers whose data organizations possess, “GDPR wasn’t meant to be a security regulation,” Chepurnov noted. “It didn’t really establish any technical requirements: it didn’t specify that your encryption had to be at least 256K.”

Still, the correlation between fortifying security and decreasing the instances and magnitude of data breaches is apparent for protecting the privacy of data citizens. Such security concerns are amplified in today’s hybrid and multi-cloud computing environments, which are more distributed than ever.

“In GDPR’s second year, it will be critical that companies know 'when to say when' and finally scrap any ineffective strategy or technology that isn't able to support today’s decentralized data environment characterized by cloud, IoT, etc,” posited Boxley.

By deploying security mechanisms as flexible as transferring data is among these settings, organizations can not only remain pliant but also better their chances for securing the privacy of consumer data for such applications. “Certainly, replacing dated technology, such as VPNs, with newer, more powerful solutions, such as software defined perimeter solutions, is a great place to start,” Boxley said.

Related: The new machine learning lifecycle - five challenges for DevOps

Newly defined data culture

GDPR’s ultimate impact on AI and data-driven processes around the globe seems to be informing data culture with a newfound appreciation for consumer rights of the PII organizations house so freely. As the scarcity of egregious examples of non-compliance seemingly imply, the EU’s approach to achieving this objective may not have been as exacting as it perhaps first seemed prior to GDPR’s enforcement.

According to Indico CEO Tom Wilde, “Everybody we talked to took it extremely seriously. The penalties were large. Every company I’m aware of made a very concerted effort to get into compliance. Now, is everyone in compliance? [It’s] hard to know.”

What’s much less difficult to determine is the healthy understanding organizations have for PII, consumer rights to data, and issues of data privacy. Whereas prior to the enforcement of GDPR these issues may have been on the periphery of data culture, today they’re much tighter ingrained in the conception of what data culture means to society as a whole.

“I think honestly, that was probably part of the intent of this regulation: to generate that awareness among the businesses and other organizations globally, and make businesses think more strategically about how they acquire, manage, and dispose of critical information that may potentially impact their customers,” Chepurnov said.

The symbiosis of the positive relationship between organizations and customers attributed to this effect of GDPR is also worth noticing. “Managing information with more care, with more responsibility, and improving data accuracy reduces the risk to the organization,” Chepurnov explained. “It ultimately improves relations with the customer, right? When you’re not losing their data, chances are you’re going to keep them a little longer.”      

Jelani Harper is an editorial consultant servicing the information technology market, specializing in data-driven applications focused on semantic technologies, data governance and analytics.

Keep up with the ever-evolving AI landscape
Unlock exclusive AI content by subscribing to our newsletter!!

You May Also Like