irissca - stock.adobe.com
Beyond the €50m General Data protection Regulation (GDPR) fine issued by the French data protection authority CNIL to Google, there have been few headline-making fines.
Despite more than 140,000 queries and complaints and more than 89,000 data breaches reported, fines for businesses in the European Union (EU) have amounted to little more than €56m, leading some commentators to state the GDPR has no real teeth after all.
However, indications are that this will change in the year ahead. Many data privacy professionals believe the enforcement action widely expected in the first year will come in the next 12 months. The reason is simple: these things take time.
At the Privacy Laws & Business Ireland conference in Dublin on 9 May, Helen Dixon, Ireland’s data protection commissioner, said she would circulate draft decisions to her EU colleagues this summer. “There is a procedure to follow, and that takes time,” she said.
At the same event, the head of regions for the UK’s Information Commissioner’s Office (ICO), Ken Macdonald, said a large fine in the UK was just a few weeks away.
Reporting breaches of data privacy rights is just the first step. Each of these complaints has to be investigated, evaluated and the appropriate response considered. Facebook, LinkedIn, Twitter and several other organisations are all currently under investigation for potential GDPR breaches.
This all takes time, slowed even further by the fact that this brave new world of data protection rights is new for everyone. This even includes the data protection authorities in each of the EU member states and the European Data Protection Board (EDPB), which reports that in the past year, a total of 446 cross-border cases were logged in its cross-border case register, and 205 of these cases had led to One-Stop-Shop (OSS) procedures.
Despite the fact that the GDPR had been on the cards for more than four years, with the European Parliament demonstrating strong support for the GDPR in March 2014, and a regulation for just three years, the majority of organisations affected by the regulation are nowhere near full compliance.
More work to do
In the run-up to the implementation date of 25 May 2018, there was a flurry of GDPR-related activity, but indications are that this activity was undertaken mainly by larger, well-resourced organisations, and some commentators have even suggested that much of this has amounted to little more than “window dressing”.
According to Stewart Room, lead partner for the GDPR and data protection at PricewaterhouseCoopers (PwC), the focus of many GDPR-readiness programmes has been on legal compliance and the required documentation rather than on the software code and technology required to ensure data privacy rights are protected, and on the business value and potential gains of complying with the GDPR.
Research by cloud data integration firm Talend shows 74% of UK organisations are failing to respond to personal data requests within the required time period. “This one example shows that there is still a great deal of work to do on GDPR for most organisations,” said Jean-Michel Franco, senior director of data governance products at Talend.
Dob Todorov, CEO and chief cloud officer at cloud consultancy firm HeleCloud, said: “One concern for UK businesses, particularly for CIOs, lies within the translation of legal language into technical implementation.
“GDPR is largely considered more of a legal issue than a technological one, and this is where boundaries become blurred and complexities arise. In truth, a chasm exists between the legal language used and the IT implementation needed to support it.”
This lack of application is reflected by the results of a recent Twitter poll by Infosecurity Europe 2019 that attracted 6,421 responses. The majority of respondents (68%) said organisations were still not compliant, while 47% said regulators so far had been too relaxed in enforcing GDPR standards.
But, according to Room and others, enforcement action is not only about fines, but about helping organisations change their business models and processes to deliver better personal data protection, which seems to be the approach of the UK’s data protection authorities and others.
While there have not been the number of heavy fines under the GDPR that many expected, the regulation has undeniably had an impact in the first year, and some would argue that this has been both positive and negative.
On the downside, many organisations are assuming that meeting a compliance requirement is the same as being secure, said Perry Carpenter, chief evangelist and strategy officer at KnowBe4. “Of course, history teaches us that compliance and security are not the same thing,” he added.
On the upside, he said GDPR would remain a driver in the EU and beyond, as more organisations were changing the way they handle data in the face of changing regulatory requirements.
“GDPR and other compliance regulations have done a lot to promote the application of foundational information security and privacy-related practices,” he said.
Successes and changes
In general, companies that are regulated by the GDPR have improved their cyber security capabilities – incident response has been one of the areas in which companies have significantly improved, according to Joseph Carson, chief security scientist and advisory chief information security officer (CISO) at Thycotic.
Another key success of GDPR is that it has prompted organisations to think hard about what types of data they really need, said Mark Weait, head of Europe at Tata Communications. “They are now considering where the real value lies, rather than collecting data indiscriminately and then assuming the cost and liability of processing and storing it,” he added.
But in making all the required adjustments, organisations have faced challenges. One of the biggest adjustments organisations have had to make is giving greater consideration to the data in their possession, said Mark Trinidad, senior technical evangelist at Varonis.
“Suddenly, they had to identify and plan for at-risk and sensitive data, as well as care enough to understand where data is stored, how it is processed, and who has access to it,” he said.
In terms of where things stand with GDPR compliance, Trinidad and others emphasise that data protection and security is a process, not a destination, with many suggesting that GDPR compliance is unlikely to ever be a job that can be considered to be 100% complete, with ongoing compliance one of the biggest challenges posed by the regulation.
Eduardo Ustaran, co-director of the privacy and cyber security practice at Hogan Lovells, said: “One could never regard it as a job done. Having adopted a GDPR compliance programme, organisations need to keep it alive without ever losing focus of what matters most and how the law is evolving.”
Eduardo Ustaran, Hogan Lovells
With the GDPR, said Trinidad, there has not been an easy button to push and many are still working to improve their GDPR practices. For example, companies are continuing to fall even farther behind in securing their data as the Varonis Global data risk report found that, on average, 22% of folders are accessible to every employee.
“Discovering where all the sensitive, at-risk data is stored and who has access to it can be eye-opening for organisations that did not care before. Therefore, implementing a comprehensive plan to mitigate risk can be an uphill battle if an organisation simply does not know where to begin,” he said.
Another common GDPR compliance challenge that many organisations are still struggling with is identifying if an incident happened and why it happened, according to Carolyn Crandall, chief deception officer at Attivo Networks.
“They have trouble modifying their strategy to report within 72 hours. Previous directives from the EU made no specific mention of data breaches, and GDPR now sets a clear directive as to what constitutes a data breach, how the incident is to be reported and the substantial penalties for not complying,” she said.
“This has required businesses to reassess their technology and processes to understand their ability to detect, audit and report breaches in compliance with GDPR. Closing these gaps, in many cases, requires the adoption of new technology to ensure that the attack is not only detected, but understood in a way that can explain the magnitude of the breach and the corrective actions to contain it.
“Whether it be access to budget, skills shortages, or otherwise, a fair amount of organisations remain hard-pressed to comply with this requirement if faced with a breach today,” she said.
The way ahead, according to PwC’s Room, is for organisations to focus more on the GDPR as it pertains to their business purpose and in terms of how it is going to make them successful and enable business gain. But a year on from the GDPR compliance deadline, he said very few organisations were looking at data privacy from a gain perspective.
“Otherwise, the chief data architect would be involved because the whole business is going to be engaged towards gain. Instead, people are hoping for fines to deliver change, which I believe is wholly the wrong way round. What we should be looking at is how we gain from data privacy, not how we avoid loss,” said Room.
Chief data scientist at O’Reilly Media, Ben Lorica, said businesses and business leaders alike need to take security and privacy far more seriously, and companies need to adapt fast enough to regulatory changes and technology growth to combat them.
“Security and privacy are converging. According to a recent report, we are living in an era where controlling access to data is harder to achieve than ever before. This is the case for both preventing adversarial access and for ensuring data access aligns with user expectations.
“We need to acknowledge the risks associated with technology growth to prepare for them,” he said.
Chris Hodson, Tanium
While the first year of the GDPR has not seen the fines and other enforcement action that many expected, there seems to be broad agreement that there has been good, positive progress. At the very least, the GDPR has been positive for the information security industry because it has forced many companies to re-evaluate their cyber security posture and work to better understand the type of personal information they have been collecting on EU citizens.
Many agree that GDPR has also promoted the cause for effective incident response and played a major role in shifting attitudes towards a presumption of data privacy by raising awareness within organisations as to how data is collected, managed and stored, and increasing consumer consciousness regarding how personal data is used by businesses. This is underlined by the fact that the ICO alone reported a 260% increase in complaints, totalling 37,798 in the past year.
The GDPR has also been recognised as a catalyst for widespread debate on data protection and privacy, and the positive effect of this is clear from the number of countries beyond Europe that are adopting GDPR-like legislation, which is perhaps one of the most significant positive effects of the GDPR.
“GDPR has emerged as a regulatory model for the rest of the world and acted as a catalyst for other countries to introduce more robust privacy measures,” said Chris Hodson, chief information security officer, for Europe, Middle East and Africa (EMEA) at global cyber security firm Tanium.
“Norway, Iceland and Liechtenstein have adopted GDPR by proxy as EEA members, for example. Further afield, California has introduced its own Consumer Privacy Act and the EU has accepted the adequacy of Japan’s Amended Act on the Protection of Personal Information (APPI) legislation under GDPR, allowing the free flow of information between the two regions.
“Although privacy regulation is still evolving, it’s encouraging to see governments around the world building on GDPR by addressing the widespread availability and abuse of individuals’ personal information with regulations that carry severe penalties,” said Hodson.
At the very least, then, GDPR is the rising tide that lifts all boats when it comes to data privacy and data protection, which, in turn, will hopefully force organisations of every size in every corner of the world to improve their cyber security capabilities. And by all accounts, we have the first wave of serious fines under the GDPR to look forward to in the coming year, starting this summer.
Read more about GDPR
- Despite the fact that the GDPR has been in full effect for a year, the true effect of the regulation is yet to be felt and organisations should ensure they keep their eye on the ball, says leading privacy law firm.
- The first year of the EU’s GDPR has demonstrated the value of IBM’s investment in machine -learning-based automation and the importance of having the right strategy and systems in place.
- A year after the official implementation of the GDPR, it is important to highlight the positive opportunities that compliance provides and the insights breach reports are providing, say Deloitte consultants.
- Lawyer Elle Todd looks at what can be learned from the first year of the GDPR’s implementation that can help organisations deliver benefits from the regulation.