May 25, 2020 marks the second anniversary of when the European Union’s General Data Protection Regulation (GDPR) took full effect. Undoubtedly, many organizations have succeeded in achieving compliance with the Regulation by now. But that raises some important questions. What benefits have those organizations experienced in achieving compliance, for instance? Have they encountered any drawbacks along the way? And how can those organizations that remain non-compliant finally get over the finish line? To find out, we asked experts in the infosec field to weigh in on the first two years of GDPR’s implementation. Their responses help to illuminate all the progress that organizations have made and all the work they could yet complete in the name of safeguarding consumers’ privacy.
Javvad Malik | Security Awareness Advocate at KnowBe4
It's been an interesting two years since GDPR came into force. In that span of time, over 1,300 fines have been imposed in response to the Regulation. If you look at the numbers graphically, we can see that there has been a consistent month-to-month upward trend in the number of fines. I don't think this will stop any time soon. Additionally, the cumulative total amount of fines has reached over 450 million euros, and that number keeps climbing. The two highest fines imposed have been due to insufficient technological and organisational measures for protecting data (basically security controls) at 204 million euros and 110 million euros, respectively. At some point, there will be an organization that receives the maximum imposed penalty of 4%, but most likely, it will be due to negligence in implementing proper security controls to protect personal data. That vulnerability will be exploited and cause an unprecedented data breach, which is when we will see the regulators bring down the 4% hammer.
GDPR has brought the issue of personal privacy to the forefront of discussion
From a positive point of view, GDPR has brought the issue of personal privacy to the forefront of discussion and made organisations more aware of their responsibilities. It's not only helped organisations within Europe but also had a knock-on effect to global organisations. A negative outcome has been where security people have hijacked GDPR in order to make it out to be a wholly security-related regulation. While security forms a part of it, it is by no means a security regulation. So, the usual case of snake-oil and poor implementations have plagued it.
Anthony Israel-Davis | Sr. Manager of R&D, Tripwire
https://www.youtube.com/watch?v=dHVZdmVPv-k&feature=youtu.be
Sarah Clarke | Data Protection & Privacy, BH Consulting
It is hard to believe it's been two years already. In one way, it feels very, very short. In another way, it's hard to believe how little distance may have actually been traversed. My most specialist corner of data protection is concerned with third-party governance. That was, is, and will remain one of the knottiest problems of all. It is tough from an internal point of view because most are still working to backfill adequate contract contents and really get a handle on third-party risks to defensibly triage their assessment and governance workload. It is also tough in the wider world. There's Johnny Ryan's case against the adtech giants. There’s Max Schrems' ongoing challenge to the validity of Privacy Shield and by extension the existing Standard Contract Clauses that so many rely upon. There's Brexit and the impending third country data protection status of the UK. But when and with what potential compromises? And that’s not to forget the ever-growing list of new regulations and laws (at last count 132 of 194 countries, with more laws waiting to pass).
GDPR 'compliance' was always going to be a journey rather than a destination.
So yes, two years, wow, but as we all knew from the beginning, and folk never tire of saying this, GDPR 'compliance' was always going to be a journey rather than a destination. It’s a journey we are all hoping will be taken more seriously by data protection authorities and the people who fund them. It’s a journey that will have fundamentally changed in ways we are yet to confirm once this COVID-19 crisis is past. Bearing all that in mind, I and a whole army of incredibly smart and dedicated people are here for the long haul to try and make our specific corners of this world just a little more mature and a little less painful for the rest of you, both those trying to do the right thing and those at the sharp end of data handling when we all, inevitably, make the odd mistake.
Chris Hudson | Lead Professional Services Consultant, Tripwire
The great challenge I still see in the industry that hinders a successful GDPR strategy is data classification systems. Far too many businesses are finding that they have insufficient identification mechanisms in place to support their GDPR assessments, thus hindering their implementation of related controls. Being able to value assets in your organisation is a skill with which many outside the world of IT are familiar. But there's still friction in building the frameworks to correctly classify data held by many organisations due to the potentially labour-intensive efforts that are required to be successful. Unfortunately, there are few shortcuts to success in this area, meaning there is a real need to invest the time and effort sooner rather than later.
...make sure your GDPR compliance projects dovetail well into any existing security programs you have in place
One way to help alleviate some of the pain points around this is to make sure your GDPR compliance projects dovetail well into any existing security programs you have in place. By using the results of data classification activities to support your efforts to implement additional security controls, you will end up building better overall security as part of your overall compliance strategy. After all, GDPR remains a solid way to assess improvements in your business’ security estate. This is a vital process for all organisations when they’re up against increasingly sophisticated cyber-threats.
Angus Macrae | Head of Cyber Security
I still very much stand by what I said back in 2016 on this: “We are all ‘data subjects,’ and we live in a world where key aspects of our lives will be ever-more determined by the data held about us. We also live in a world where that same data is more at risk and open to compromise than ever.” I went on to praise the legal onus to report breaches within 72 hours, which GDPR was then about to introduce. Under Article 33 of the GDPR, all organisations should by now have in place processes to report breaches to their relevant supervisory authority. The publicity that surrounded the introduction of GDPR also provided a ‘knock-on’ benefit of raising the profile and awareness of personal data protection to new levels. Everyone who is now involved in the processing of personal data of European citizens at all levels will at the very least have heard of the Regulation. Quite how far their understanding goes into truly appreciating their responsibilities (despite the mandatory corporate training, right?) is a different matter altogether. That brings me to a major drawback of GDPR: there are still far too many people who should know better by now. With many people, GDPR is still just a general ‘buzzword’ term that gets thrown around with little true context, meaning or accuracy. I have heard some quite ridiculous claims citing GDPR as a reason to justify doing (or not doing) something. Likewise with marketing. It perplexes me that people are still selling (or buying) an IT solution as ‘GDPR compliant’ in itself when how it is used to store, process or protect personal data will ultimately determine that to be the case. I also continue to be a bit unnerved at the amount of people who say things like “Since GDPR came in, we now have to do all this data protection stuff.” They are seemingly unaware that data protection laws existed before GDPR and that many of the required practices should have already been in place at that time. Likewise in the UK, people talk about GDPR instead of our own Data Protection Act that, whilst very much based upon and aligned to GDPR to support post Brexit trading, has been in place since 2018.
There is a clear inconsistency of practice between many organisations...
There is a clear inconsistency of practice between many organisations, too. Some of this boils down to the (somewhat unnecessary, IMO) complexity and nuance of the legislation in places. The Regulation’s more bureaucratic obligations can even run the risk of stifling the conscientious, whilst the negligent and ignorant continue to carry on with poor practice regardless—until that is, they get caught out! Finally, for those who are still having issues adhering to GDPR, make sure you appoint a good ‘Data Protection Officer.’ Ideally, it should be a full-time role for an appropriately qualified professional. Appreciating that this may not be feasible for smaller organisations where someone is more likely to be doing this in addition to their main role, please make sure that they are still given decent training and the time to fulfil these far-from-trivial duties properly. Don’t just give them the ‘hat to wear’ with no training, support or empowerment. If you need to bring in external consultancy, do some homework and find a good practitioner. You can look for recommendations from an organisation you know that has not only achieved compliance but also now efficiently maintains it. There are some great consultants out there, but there are also plenty of charlatans who are not true specialists and who will just leave you with a templated, box-ticking approach in addition to a large bill for their services.
PJ Norris | Senior Systems Engineer, Tripwire
May 25, 2018. It was a date that was set in people’s minds for a long time. It’s when the General Data Protection Regulation (GDPR) came into effect. It was designed to protect identities of users and prevent organisations from sharing personally identifiable information without users’ explicit consent.
GDPR has made it easier to ensure that organisations do not harvest information for long periods of time
Two years later, securing PII data is just as important as it has always been. There are now even more headlines about breaches of information. Even so, GDPR has made it easier to ensure that organisations do not harvest information for long periods of time. If a breach does occur, the impact may therefore not be as large. A majority of data within an organisation resides in backups, archives, file servers and external media. Due to the fragmentation of data, it’s hard for organisations to keep track of where their data is. GDPR has been an opportunity for organisations to step up their security controls in this regard. Under GDPR, organizations are required to adopt encryption, restrict access to data through access controls, automate data retention tools and adopt security solutions to protect against data loss and ransomware attacks. In the next two years, more companies will have a better understanding of where their data resides, how they can secure their data and how to restrict data access to only those who need to know.
Zoë Rose | Cybersecurity Specialist
The approach of making directors personally liable for a security incident did a great job of bringing a new focus to privacy discussions. GDPR brought these discussions front and center by making companies worried about financial loss and reassuring consumers that they could potentially take action when their data was misused. That global awareness did wonders to highlight the value of data and empower citizens to realise their right to say no—even in those places where GDPR wasn’t a new mandate but instead built off of existing standards. That being said, no regulation is a complete solution. There are loopholes. There are limitations. GDPR doesn't fix everything. It simply starts the discussion. I have noticed a trend lately on 'doing enough' to get by. However, it goes to the debate of aligning with the letter of the law vs. the spirit of it. GDPR's spirit is security and privacy by design. From its very conception, the idea is to prioritize the consumer.
...continuous improvement is where all organisations should try to be
Whereas, there is the unfortunate truth that some organisations have marked failure down to “We’re working towards compliance, and here's all we've done to improve” or “We’ve checked that box off, so it's good enough.” I do agree that continuous improvement is where all organisations should try to be. Simply saying “We're working on it” is not the same as going to the root of the problem. For those of you still struggling to comply with GDPR, I would advise that you consider how you would feel if the organisation was breached, if it lost all its data, and if you and your family members were victims of the breach. In that case, could you really say that you had done enough to ensure the organization’s security? If not, then fix it. Take a proactive approach to layering on prevention, detection and response controls. Also, have a diverse team to make a solution that truly works.
Paul Edon | Senior Director Technical Sales and Services (EMEA), Tripwire
As a result of GDPR, the public has a much better understanding of what their rights are and how they can go about protecting their own data. They’ve realized they are actually responsible for their own data and that they can take action that will help them feel more comfortable. That being said, the process of enforcing GDPR has been slow and not without its challenges. The initial response of the Information Commissioner's Office (ICO) and other authorities across Europe was a light touch, for example, so probably for the first six to eight months, it was trying to educate when they found organizations were either non-compliant or had a breach. That approach didn't help give the GDPR the teeth it needed to produce meaningful change. Fast forward to today, and there is still a massive gap in the knowledge of general workers about the Regulation. You have a small team in each company that knows all about the GDPR, but unfortunately, they’re not the people that handle the data. The people that handle the data on a daily basis have very little or no training. What we need is much more interactive training, and it shouldn’t be once a year. Tt should be ongoing consistent training. Additionally, we need to work on making the enforcement of GDPR more consistent everywhere. The only way to do that is to have closer cooperation between supervisory authorities. The fact that a case takes place in France, for example, doesn’t mean other authorities can’t have an input. By having four or five different state authorities having some kind of communication across these cases, you will find that the fines would start to level out. (Comments courtesy of Infosecurity Magazine.)
Leron Zinatullin | Information Security Specialist
...a lot of companies had to think about data protection for the first time.
Customers are becoming increasingly aware of their rights when it comes to data privacy, and they expect companies to safeguard the data they entrust to them. With the introduction of GDPR, a lot of companies had to think about data protection for the first time. Smaller companies that are just starting up have an advantage on their side: they are new. This means they don’t have to go and retrospectively purge legacy systems of data they have been collecting over the years, potentially breaking the business logic in the interdependent systems. Instead, they start with a clean slate and have an opportunity to build privacy in their product and core business processes from the very beginning. I also see the focus shifting from regulatory-driven privacy compliance to a broader data strategy. Companies are increasingly interested in understanding how they can use data as an asset rather than a liability. They are looking for ways to effectively manage marketing consents and opt outs, and they’re looking at giving power and control back to the customer by creating preference centres, for example. Privacy is more about the philosophy of handling personal data rather than specific technology tricks. This mindset in itself can lead to innovation rather than stifle it. How can you solve a customer’s problem by collecting the minimum amount of personal data necessary? Can it be anonymised?
Now It’s Your Turn!
Disagree with the opinions included above? Feel there’s a little-known drawback of GDPR that organizations need to keep in mind? Or know of an oft-forgotten achievement in GDPR’s implementation that’s worth celebrating? If so, please share your thoughts with us on Twitter.