VentureBeat: The State of the GDPR in 2022: Why So Many Orgs are Still Struggling

On May 25, 2022, NetSPI Managing Director, Steve Bakewell, was featured in an article in VentureBeat called The State of the GDPR in 2022: Why So Many Orgs are Still Struggling. Preview the article below, or read the full article online.


Today marks the fourth anniversary of the EU’s General Data Protection Regulation (GDPR), which originally came into effect in May 2018, and forced organizations to rethink the way they collect and store data from EU data subjects. 

The GDPR gave consumers the right to be forgotten, while mandating that private enterprises needed to collect consent from data subjects in order to store their data, and prepare to remove their information upon request. 

However, even years after the legislation went into effect, many organizations are struggling to maintain regulatory compliance while European regulators move toward more stricter enforcement actions. 

For example, Facebook is still having difficulties complying with the GDPR, with Motherboard recently discovering a leaked document revealing that the organization doesn’t know where all of its user data goes or how it’s processed. 

Of course the challenge of GDPR compliance isn’t unique to Facebook. In fact, AmazonWhatsApp, and Google, have all had to pay 9-figure fines to European data protection authorities. 

But why are so many organizations failing to comply with the regulation? The answer is complexity.

Why GDPR Compliance is an Uphill Battle 

The widespread movement of organizations toward cloud services over the past few years has increased complexity on all sides. Organizations use applications that store and process customer data in the cloud, and often lack the visibility they need to protect these assets. 

“Companies have done a lot of work to bring their systems and processes in line with the GDPR, but it is a continuous exercise. In the same way regulations change, so does technology,” said Steve Bakewell, managing director EMEA of penetration testing provider NetSPI

“For example, the increasing uptake in cloud services has resulted in more data, including personal data, being collected, stored and processed in the cloud,” Bakewell said. 

With more data stored and processed in native, hybrid, and multicloud environments, enterprises have exponentially more data to secure and maintain transparency over, that’s beyond the perimeter defenses and oversight of the traditional network. 

Organizations like Facebook that can’t pin down where personal data lives in a cloud environment or how it’s processed inevitably end up violating the regulation, because they can’t secure customer data or remove the data of subjects who’ve given consent. 

Read the full article online.