23.05.2023 | News Five years of the GDPR: It remains difficult

A commentary on the GDPR, data protection and practical implementation in companies by IntraFind CEO Franz Kögl.

The harmonization of data protection in the EU was a watershed in terms of informational self-determination. Since 25 May 2018, the GDPR requires companies to take responsibility for personal data. Yet five years later, people in the EU are still far from being able to rest easy under the data-protecting hand of Justice. Indeed, many businesses still fail to protect data. The reasons for this are wide-ranging.

One of the greatest difficulties of the information age is undoubtedly the data overload. Every application process, every customer email and every website visit adds personal data to the companies' data storage. But the huge number of data sources is only the beginning of the problem, because data rarely converge in a single, central and manageable repository. In most companies, the opposite is true. Sensitive information is usually spread across their entire IT infrastructure - from cloud storage to stationary data centers to the individual clients on which employees store their data locally. On the software side, there are further challenges, because companies usually use numerous tools, from email programs and communication apps to databases and cloud services. Not only do they collect and store countless data, but they do so in many different formats.

Why companies fail with data protection is quickly illustrated with a parable: Imagine a library. In the course of a clean-up operation, the librarian has to remove the word "data protection" from all books - in every language and from every book, even if it has just been lent or is no longer in the register. This is roughly how data protection officers feel when people want to exercise their right to no longer appear in a company's records. With conventional search options and tools, it is practically impossible to ensure complete removal. This makes companies vulnerable, even if they act in good faith.

An additional problem is the dependence on clouds and applications based in the US. This problem will persist indefinitely and is difficult to bypass. Time and again, data protectionists complain that GDPR-compliant use of such software suites - especially in public authorities and educational institutions - is not possible. Project Gaia-X, which the EU initiated in 2019, promises a glimmer of hope. The aim is to develop a "competitive, secure and trustworthy data infrastructure for Europe". However, it has become suspiciously quiet about this ambitious idea lately.

Companies must therefore help themselves. One of the cornerstones is to sensitize employees: Data protection and the conscientious handling of personal information must become second nature. It is equally important to index the existing data with the help of software and make it findable. This is the only way companies can delete data in case of doubt. Enterprise search solutions play a decisive role here. Only they can find all personal data in any format and regardless of where it is stored.

The GDPR has moved a lot in the last five years. A next step is in the pipeline, as the European Commission plans to revise the General Data Protection Regulation. What fruits the GDPR update will bear in the end remains to be seen. In any case, data protection can only win if it remains in the conversation.

The author

Franz Kögl
Franz Kögl is co-founder and co-owner of IntraFind Software AG and has almost 20 years experience in Enterprise Search and Content Analytics.
Franz Kögl