Guest post: GDPR turns five – Reflecting on the changing nature of data privacy strategies

By Andy Teichholz, global strategist, compliance & legal at OpenText

The years teach much which the days never know.”

This Ralph Waldo Emerson quote has been on my mind recently, especially as the fifth anniversary of the General Data Protection Regulation (GDPR) rolls around. If you were to assess the impact of the EU’s ground-breaking data privacy regulation on a day-by-day basis, you might not find any meaningful takeaways or perspective to draw upon.

But looking back, half a decade since its introduction, businesses are facing a very different world when it comes to how they manage personal data. There have been quite a few positive changes, such as the transformation of IT infrastructure to improve security postures and the adoption of information governance frameworks to support personal data lifecycle management.

Perhaps most significant is the rise of consumer awareness during that time. With a more knowledgeable global community, there is a growing demand for businesses to be more transparent in their activities – particularly how they handle and protect personal data. Simply put, people are now much more aware of the risks around their personal data, including where it is stored and who can access it.

A model for other countries to follow, the GDPR has played a huge part in raising that awareness, as has continuing high-profile news coverage of data breaches. Considering all this, consumers are more active when it comes to asserting their data privacy rights and ensuring that their information is safeguarded. Recent research conducted by OpenText, for example, found that 76% of consumers have new concerns about how companies are using their data. As a result, organisations continue to evaluate their data privacy strategies and operationalise their privacy program activities.

Challenges remain to gain customer trust

Reputational management is driving executive business discussions and the investments they are making to bolster data management. According to our research, 46% of consumers would no longer use or buy from a company they were previously loyal to if it failed to protect their data from a breach. With purchasing decisions often based on how one believes an organisation is managing and safeguarding their personal data, it is no surprise that commitment to innovation is as much, maybe even more, about protecting the brand and maintaining customer loyalty as it is about potential harm associated with the actual regulatory fines and penalties themselves.

Under the GDPR, data subjects also have specific rights to their personal data including, but not limited to rights to access, correct, delete, and even porting their data, and must do so within stringent deadlines that are often not met. Surprisingly, many organisations still rely on manual processes to respond to these requests which often impacts accuracy and increases the risk of meeting fulfilment deadlines. Failure to improve processes here affects customer confidence. Our survey underscores the potential impact failures associated with these requests have on consumer attitudes. A little more than a third (34%) of consumers stated that they would completely abandon a brand if it failed to respond to these Subject Rights Requests (SRR). Just about the same (32%) felt the same way if a SRR was not completed or dealt with satisfactorily. These findings demonstrate that businesses must build an overarching strategy when it comes to data privacy.

Technological innovation can help

Thankfully for business leaders, progress is underway. Technology is advancing and there are a number of options and approaches to improve data compliance and transparency. Tools like AI and machine learning can help companies assess, categorize, manage, and protect all data appropriately throughout its lifecycle.

In terms of SRRs, especially Data Subject Access Requests (DSARs), teams are leveraging information retrieval technologies including eDiscovery tools (with their advanced analytics, technology-assisted review, automated redaction, and production capabilities) to automate and accelerate the fulfilment process and design workflows – especially for high-effort requests that require the retrieval of personal data from multiple sources. These capabilities make for faster, more accurate responses. Optimising this process is particularly important as consumers look to reclaim control of their information and gain confidence in submitting such requests.

To harness the benefits of all of these tools simultaneously, organisations need to establish an integrated data management strategy. Doing so will support differentiation within the marketplace and offer an information advantage to win the trust of customers and improve the management and protection of their data.

At a time when customer trust in businesses is fragile, and the focus on data protection more intense than ever, we should use the anniversary of GDPR to reflect on what the years can teach us that the days sometimes obscure. Now we have the perfect chance to contemplate how we can build better, more integrated data management strategies for the next half decade and beyond.

Andy Teicholz is responsible for leading all global industry marketing activities and unified GTM strategy of OpenText’s information management portfolio for compliance and legal.

We don’t charge for guest posts, which appear here purely on merit. To submit an idea for consideration please contact