5 GDPR trends defining business success in 2022

GDPR turns four next year, and though it took a few years to find its feet, 2021 has shown that compliance is primed and ready to climb next year’s C-suite priorities.

Thanks to a combination of growing public demand for data privacy and an increase in exposed data breaches, GDPR is finally being acknowledged as a business-wide concern rather than a legal issue confined within the risk and compliance department.

A company’s reputation, security infrastructure, and revenue are all potential victims of an ineffective compliance plan, meaning organisations are increasingly thinking beyond GDPR fines and acknowledging the internal and external impact of safeguarding data in their protection.

This more proactive, holistic approach to GDPR has to be dynamic, with flexible strategies that evolve and can cover emergent developments within the compliance sector.

Whether you’re in the process of creating your new compliance plan or want to be sure your current offering will stand up against the next 12 months, read on to find five of the top GDPR trends that all businesses should prepare for in 2022.

1. Remote and flexible working leads to greater exposure risk

While the pandemic continues to shape and define the way modern businesses operate, one of the emergent legacies of lockdown has been the global demand for remote working.

According to Thomson Reuters’ 2021 Report on the State of the Legal Market, pre-pandemic, around 37% of lawyers expressed an interest in working remotely. Fast forward to the close of this year, and that number has risen drastically, with three out of four lawyers stating they prefer to work from home.

In an attempt to safeguard workflows and income, companies across all sectors worldwide have been forced to migrate at least partially to online work environments, adopting more tools and new collaborative practices in the process. According to McKinsey, supporting this virtual workforce has fast-tracked many organisational digital transformation plans by up to four years.

Whether teams are working fully remote or within a hybrid model, this digital migration means that companies are now more exposed than they’ve ever been with employees handling more data, working across numerous platforms and sharing greater volumes of information outside of internal networks.

Traditionally, the response to increased exposure has primarily led to a focus on external forces – the hackers and scammers actively looking to take down businesses. However, when it only takes one employee to cause a data breach, it’s no surprise that the majority of GDPR fines that have been received so far haven’t been triggered by a cyber attack but due to a lack of internal compliance with Article 5 (concerning data processing activity), Article 6 (lawfulness of processing) and Article 32 (security of processing).

To tackle this rise in exposure, business owners will have to get serious about their awareness efforts and prioritise investing in strategic and effective training campaigns. In 2022, standard one-day training workshops will no longer cut it if a business wants to secure everyday employee compliance in the long term. Creative and consistent awareness strategies supported by tight internal regulations on device use and user access rights will become basic internal protocols to protect a company’s security, revenue and reputation.

2.  Get ready for an increase in fines

While it’s important not to reduce GDPR activity to headline-grabbing fines, it is important to note that year on year, penalties grow, and regulator activities have been on the rise. 2022 will be no exception, as public demand for privacy is set to increase alongside the confidence of local protection authorities in managing cases and calculating and issuing fines.

According to recent data acquired by Finbold, the cumulative number of GDPR violations surged 113.5% between July 2020 and July 2021. Over the same period, the number of fines imposed rose by 124.92%, with DLA Piper calculating that out of the €272m levied over GDPR’s three and a half year life span, €159m were imposed within the past 12 months.

With the latest EDPB discussions focusing on the streamlining of legislations and the need for local data protection agencies to work better together, regulation activity will undoubtedly continue to ramp up at an alarming rate. Whereas a company may have been able to get away with certain behaviour in the past, 2022 is not the year to take your chances when it comes to compliance.

3. Expect more regulations on digital activity

One of the greatest challenges faced by GDPR, both in terms of scope and impact, has been its inability to keep up with the data activities of big tech firms.

As we’ve seen in the past with numerous scandals, including the far-reaching Cambridge Analytica fallout, major players in tech industries have largely been operating with a big tech versus privacy rather than big tech with privacy mindset.

Towards the end of this year, we’ve seen regulatory bodies make greater strides towards tackling this issue. In mid-November, the EDGP published their Statement on the Digital Services Package and Data Strategy, specifically targeting digital activities such as AI, targeted advertising and big data.

The proposal, one of several digital services statements published since 2020, aims to push governing EU bodies into placing stricter regulations on previously unregulated online markets, platforms and gatekeepers.

Take AI. According to The World Economic Forum, AI and automation will lead to the creation of 97 million new jobs by 2025. With more companies and individuals using AI to process personal data, the EDGP report raises the need for stricter regulation on the use of AI, especially in public spaces and when used for emotion recognition.

With public appetite for greater privacy increasing, we predict that 2022 will be the year these EGDP concerns are turned into regulations, followed in turn by legislations, clearer guidelines and potential penalties for previously untouchable industries.

If your company is planning on integrating dominant tech trends into its digital transformation plan, we suggest keeping a close eye on emerging data regulations in this space.

4. Future facing legal tech needs to combine GDPR and Information Security

With legal departments predicted to triple their investment in legal technology by 2025 and budgets for legal tech expected to skyrocket, next year will be a crucial time for investment decisions.

When it comes to compliance and GDPR tech, there will be two main issues to consider. Firstly, companies will have to decide between two types of solutions on the market. Simple, standalone solutions that are cheap and improve digitalised GDPR efforts but work in silos, or more complex platforms with advanced capabilities such as data mapping and automated assessments, that are primed to move into the risk management market and support information security activity.

This ability to merge the world of compliance and information security is the second major factor businesses need to consider in their 2022 plans. With these two areas becoming increasingly dependent on each other for success, we predict that 2022’s leading companies will be those who have invested in software that encompasses the two.

While the information security arm of compliance may be new or daunting for some, it will become vital that teams are able to use their software to navigate areas such as audits, certifications and risk assessments in order to keep growing volumes of internal data secure.

5. Compliance will drive third party and business relations

By 2025, tech experts predict that 60% of organisations will use cybersecurity risk as a primary consideration when conducting third-party transactions and business engagements.

With compliance so closely tied to information security, you can expect to see the same rise in interest around data protection processes and policies. Businesses will receive more requests for information regarding their compliance and risk setup, as well as enquiries into the privacy plans, history and culture they have in place to safeguard personal data.

In particular, certifications and certification audits covering both GDPR and information security will become non-negotiable starting points for many organisations. Companies will want to know how secure their partners’ networks are before deciding whether or not they want to proceed with a contract and certifications offer a quick and easy indicator of an organisation’s security levels. It’s much easier to ask, “Are you ISAE 3000 audited and/or do you have an ISO 27001 certification” instead of sending, chasing and reviewing a 50 question assessment form.

If you don’t yet have a certification or your competitor has a better certification than you do, you can guarantee that 2022 is the year your clients and business associates take note.

Final thoughts

If 2021 taught us anything, it’s that a lot can change over the course of 12 months. While it’s near impossible to predict exactly what may happen next year, particularly as we’re still in the midst of COVID-19, the key is to ensure your compliance plan is dynamic with room for GDPR teams to apply necessary changes to documents, processes and training programs as the industry inevitably evolves alongside new and emerging trends.

For weekly risk, compliance and GDPR tips and trends, you can follow Complyon on LinkedIn. If you’d like to discuss how Complyon can help your company get ahead of this year’s GDPR trends, you can contact their team here.