GDPR at two: How far we’ve come, how far we still have to go
Marking two years of the General Data Protection Regulation, industry voices weigh in on the state of data protection and privacy, consider what has changed, and what still needs to change
This week marks the second “birthday” of the European Union’s (EU’s) landmark General Data Protection Regulation (GDPR), an all-encompassing set of rules governing privacy and data protection around the EU – including the UK, via its adoption in the Data Protection Act of 2018.
As we blow out the metaphorical candles, Glenn Mallon, senior director of financial services and insurance at Dell Technologies, says it is only right that we recognise the achievements made in the past two years.
“The introduction of these landmark data protection changes has certainly illuminated, to both businesses and consumers, the considerable value of data,” he says. “But it has also highlighted the unequivocal need for trust between customers and the companies that collect, use and, most importantly, protect that data.”
Claroty chief product officer Grant Geyer also looks on GDPR as a winner. “The EU’s global enforcement of blatant and wilful violations of the rights of European citizens to have their personal data safeguarded has raised its prominence to the gold standard of data protection regulations worldwide,” he says.
“In today’s global economy, GDPR has swiftly created a replicable regulatory blueprint that represents a win for citizens to maintain ownership over their personal data. That is a sacred right in a digital economy where, for many years, personal data has been abused and monetised without awareness, consent or recourse.”
Paul Farrington, EMEA CTO at Veracode, also points to some positives. “In the area of cyber security, the UK’s Information Commissioner’s Office [ICO], which enforces the regulation, has been willing to show its teeth with very large fines for BA and Marriott,” he notes.
“According to the ICO’s latest figures, the retail and manufacturing and education sectors are most frequently reporting data breaches to the regulator. So GDPR is providing a very real disincentive to shipping insecure software, which has to be a good thing.”
Cillian Kieran, CEO at Ethyca, a specialist in online privacy, says it is all too easy to focus on the ways in which GDPR has not “lived up to the visions of the most ardent privacy advocates”.
However, says Kieran, if you do this, you risk missing the forest for the trees. “GDPR is still the world’s gold privacy standard – it’s had a profound effect on the business community and has inspired a wave of impactful copycat legislation all over the world,” he says.
“Two years for such disruptive regulation is really too early to gauge lasting impact, but it’s clear that the world has watched GDPR and will continue to observe as enforcement begins.”
The advent of California’s similar CCPA legislation is a good case in point. CCPA is less stringent than GDPR in some respects, more stringent in others – particularly with regard to online data privacy – but its adoption shows a very clear direction of travel for many jurisdictions.
What can we do better?
But this is not to say GDPR has solved every problem. Veracode’s Farrington points out that, like most laws and regulations, which are developed through a process of negotiation and compromise, GDPR is far from perfect.
“One the one hand, the rights of the individual were significantly upgraded in relation to data privacy,” he says. “But it’s also the case that organisations are dealing with more bureaucracy in complying with the legislation.” This inevitably layers additional financial costs on organisations, he adds.
Dell Technologies’ Mallon says the second anniversary of GDPR is a great opportunity to reflect on what can be done better. He believes the “good enough” mentality that has taken hold within the market is no longer good enough, and we need to change how people view GDPR, from an annoying compliance tick-box, to a framework against which organisations feel they can strive for better, rather than just clearing the bar.
If you can impose agility on top of that, he says, you can create not just a more robust data protection policy, but also improve trust levels between organisations and their customers – a win-win for all.
“As we face ever-evolving, increasingly sophisticated, persistent threats to our data security, it is more critical than ever that we start to address the gaps in our GDPR performance,” says Mallon. “Cyber criminals are now after companies’ data backups – the data crown jewels to any business.
“GDPR compliance should be seen as an opportunity, rather than an expense”
Max Locatelli, Infoblox
“Unauthorised access to those can leave organisations devastated, customer relationship deteriorated, and fines imminent. So, while we celebrate GDPR’s second anniversary, now is not the time to take our foot off the gas.”
Max Locatelli, regional director of Western Europe at Infoblox, agrees there is no magic-wand solution to guarantee GDPR compliance, and there never will be. “The overused phrase of ‘people, process and technology’ has become a cliché for a reason,” he says.
“GDPR compliance should be seen as an opportunity, rather than an expense – an opportunity to improve the small things you’d been putting off, an opportunity to adhere to best practice, and an opportunity to save your company millions.
“Yet, two years on, it seems many still haven’t learnt their lesson, with new breaches making regular headlines.”
Dave Stapleton, an ex-US government cyber security analyst who is now CISO of CyberGRX, a supplier of risk management services, says the volume of privacy laws springing up as a result of GDPR is also throwing up challenges.
“It may be wishful thinking, but I sure would have loved it if some of these jurisdictional areas could have come together to agree on some set of standards, even if only for the terminology used in individual legislation,” he says.
For year three, the Covid-19 challenge looms large
When considering the future of GDPR, it is impossible to avoid the impact of the Covid-19 coronavirus pandemic, which in the space of barely two months has done more to alter the business world than a decade of so-called digital transformation.
In terms of cyber security and data protection, the Covid-19 effect has been particularly acute, not just in terms of cyber criminals exploiting widespread fear to evil ends, but also in terms of securing legions of remote workers, and the widespread data privacy concerns around contact-tracing apps. The risk of a breach that runs afoul of GDPR has probably never been higher.
Matt Lock, UK technical director at data security firm Varonis, says that in these unprecedented times, we may be in danger of losing sight of the core messaging around GDPR, particularly as the ICO steps back from strict enforcement, sending the message that regulators “have pressed pause” for now.
“The public needs to know safeguards will remain firmly in place and that companies that stray from GDPR requirements will be held accountable,” says Lock. “Especially at this time, when personal data is being shared and processed in efforts to manage the pandemic. It may be tempting to bend the rules now, but industry and regulators can’t turn the clock back.”
Brian McCann, Neustar president of security solutions, says: “The second anniversary of GDPR falls amidst a challenging time for cyber security. The global shift to a work-from-home model has upended corporate IT operations and dramatically changed patterns of connection to enterprise networks, leaving many organisations even more vulnerable to data breaches.”
McCann believes that in order to protect consumer and employee data and avoid GDPR fines, now is the time for organisations to adopt a holistic and multi-layered defence approach to security, taking particular account of services that can offer threat intelligence, “seamless” protection and, crucially, automation.
Read more about GDPR
On the GDPR’s second birthday, Tim Hickman, a data protection lawyer and partner at White & Case LLP, discusses the regulation’s teething troubles and assesses how best to maintain optimum compliance.
Nobody seems to have a good handle on business GDPR compliance, how many businesses are compliant, or indeed what compliance really is, but according to security experts, it very much depends on who you talk to.
“To take the pressure off IT teams, business leaders should consider a managed service option that is always on and provides 24-hour vigilance,” he says. “Only then can organisations safely embrace the shift to digital-first without fear of losing critical information or tarnishing their brand.”
Andy Teichholz, senior director of industry marketing at OpenText, agrees that the Covid-19 crisis is no reason to let up on GDPR compliance.
“Companies must continue to take the regulation into serious consideration when building a resilient IT infrastructure,” he says. “They need to update corporate policies, adapt working practices and ensure the security of the processing of personal data against accidental or unlawful destruction, loss, alteration or disclosure.”
Despite the fact that many office workers are working remotely for now, Teichholz does not reckon this will become normal practice after the pandemic subsides, although he does concede that the flexibility associated with remote working is coming to be viewed so positively that many will be reluctant to relinquish it wholesale.
However, he says, because home offices have in many cases been set up quickly and without any real thought or planning, this will make GDPR compliance after Covid-19 even harder than it already is.
“Employees may be using their own private devices, such as smartphones and laptops, without them being adequately protected or having disregarded and circumvented their employer’s security requirements or rules regarding content management and file transfer,” says Teichholz. “If incidents such as hacker attacks and data theft subsequently occur due to a lack of effective IT security, this can have very severe consequences for companies.
“If the home office becomes a permanent institution, organisations must ensure that all personal data is lawfully processed and protected. Companies must adapt to these new circumstances to ensure a level of security taking into account the new risks presented by data-processing activities so that they can, despite the crisis, face the third year of GDPR compliance with composure.”
Fit for purpose?
At this stage of GDPR’s life, it is too early to say whether it has lived up to, or is fit for, its purpose, something pointed out by CyberGRX’s Stapleton, who argues that pushing concepts such as privacy-by-design is not something that can be culturally embedded so quickly.
“I believe we will see that organisations take privacy more seriously and that there will be improvements for the protections of personal data,” he says. “But I also suspect that the tangled web of privacy rules will slow down the potential pace of privacy improvement.
“Also, we will see that some companies that rely on the open sharing of personal data will continue to increase the ‘free’ offerings they provide to individuals in order to entice them to forgo the privacy of their personal information.”
Nevertheless, says Stapleton, in the space of just 24 months, GDPR has achieved widespread recognition, and the way individuals and organisations think about data privacy is beginning to change. The long game looks promising.
