As GDPR approaches its third anniversary, it’s important to look at the uncertainty Covid-19 has caused and how it has forced businesses to adapt their data rules.

Experts Comments

May 25, 2021
John Smith
EMEA CTO
Veracode

Since GDPR was introduced three years ago, we’ve seen a number of technology advancements impact the security landscape. More recently, the rapid adoption of these innovations in combination with accelerated cloud adoption brought on by the pandemic have brought to light a new challenge - data residency - as applications in the cloud have typically been hosted outside the EU. By providing cloud-native software security testing with EU data residency, we enable EU customers to address

.....Read More

Since GDPR was introduced three years ago, we’ve seen a number of technology advancements impact the security landscape. More recently, the rapid adoption of these innovations in combination with accelerated cloud adoption brought on by the pandemic have brought to light a new challenge - data residency - as applications in the cloud have typically been hosted outside the EU. By providing cloud-native software security testing with EU data residency, we enable EU customers to address regulatory and organisational requirements while continuing to deliver secure software quickly and easily.

 

On this anniversary of GDPR, it is important to recognise the impact of the changing landscape on developers who must continue to innovate and create applications. To ensure data is protected, collaboration between security experts, developers and security champions is integral to the success of any application security programme. GDPR fines have the potential to increase as the number of ways to violate the data protection rules multiply, so employing secure coding best practices from the outset is paramount.

  Read Less
May 26, 2021
Adrien Gendre
Chief Product Officer and Co-Founder
Vade

The third anniversary of the GDPR is an opportunity for companies to reflect on cybersecurity and how they are ensuring the safety of customers’ or clients’ data. 

 

It’s worth remembering that emails are hackers’ preferred method of attack, meaning that organisations need to make sure they are protected against phishing and other email-related threats. 

 

The GDPR changed the world forever, setting out two standards that companies must now adhere to. The first is ‘Privacy By Design’, which

.....Read More

The third anniversary of the GDPR is an opportunity for companies to reflect on cybersecurity and how they are ensuring the safety of customers’ or clients’ data. 

 

It’s worth remembering that emails are hackers’ preferred method of attack, meaning that organisations need to make sure they are protected against phishing and other email-related threats. 

 

The GDPR changed the world forever, setting out two standards that companies must now adhere to. The first is ‘Privacy By Design’, which means any new process must be designed through the lens of cybersecurity, and ‘Privacy by Default’, which states that any stored data must protect personal data. 

 

On the third anniversary of the revolutionary GDPR, companies should remember the need to safeguard data. The first step in doing this is to teach staff to recognise dangerous emails. Education should also be combined with the very best email security systems. No company can afford to fall foul of the GDPR, both in financial and reputational terms. Organisations have a moral duty to keep data safe, as well as a legal obligation. 

  Read Less
May 25, 2021
David Sygula
Senior Cybersecurity Analyst
CybelAngel

What initially seemed to be a real labyrinth, straight out of Brussels bureaucracy, had a major impact on people's life and privacy.  

 

Europe positioned itself as a true pioneer to protect individuals, now followed by many states and countries around the world, take California and New York as an example. Three years after, there's still improvement to be made to the overall framework, but it's now down to the countries to strengthen enforcement of the regulations.  

 

From a business

.....Read More

What initially seemed to be a real labyrinth, straight out of Brussels bureaucracy, had a major impact on people's life and privacy.  

 

Europe positioned itself as a true pioneer to protect individuals, now followed by many states and countries around the world, take California and New York as an example. Three years after, there's still improvement to be made to the overall framework, but it's now down to the countries to strengthen enforcement of the regulations.  

 

From a business standpoint, it was a stress test (possibly the same magnitude as what the banks had to go through during the financial crisis). But when that stress test is passed, they become bullet proof for global markets, and for the US specifically where massive class actions lead to reputation harm and humongous financial losses. Sometimes even greater than the 4% turnover fines that are part of GDPR sanctions.  

 

Protecting data of both individuals and corporations is paramount, making sure they stay safe, before sensitive information falls into the wrong hands and impact our daily lives. We must not forget, cybersecurity has significant real world consequences”. 

  Read Less
May 25, 2021
Ramsés Gallego
Security, Risk & Governance International Director
Micro Focus

On the third anniversary of the implementation of the GDPR, we can confidently say that the regulation is here to stay. Ultimately, data belongs to people and any technique that reinforces that approach - including encryption, tokenisation, data scrambling, data hiding, anonymization, among others - represents a fundamental step to protect small quantities of data that, when aggregated, becomes information.


 
In this cloud epoch, where data moves between cloud environments, effective data

.....Read More

On the third anniversary of the implementation of the GDPR, we can confidently say that the regulation is here to stay. Ultimately, data belongs to people and any technique that reinforces that approach - including encryption, tokenisation, data scrambling, data hiding, anonymization, among others - represents a fundamental step to protect small quantities of data that, when aggregated, becomes information.


 
In this cloud epoch, where data moves between cloud environments, effective data protection regulation is critical. Understanding where data lives, in all its forms and platforms, provides unparalleled control and visibility when it comes to managing both structured and unstructured data sets. This was the aspiration of the GDPR when it was created. Now, more than ever, technology and legislation represent the opportunity to achieve an overarching governance umbrella for how information is discovered, identified, classified and protected. That's the ultimate goal.


 
While it’s down to the European Data Protection Board (EDPB) to ensure that the law is being interpreted in the correct manner and provide essential guidance, businesses also have a key role to play in upholding the regulation. Keeping data safe, however, has never been more challenging as over the last year. The mass move to remote working caused by the pandemic meant that businesses had to shift to digital-first approaches virtually overnight. The resulting distributed infrastructure has created new attack vectors for cybercriminals – and, in turn, a greater potential for damaging data breaches.
 

Within this new reality, becoming cyber resilient is a business necessity. Organisations should make extensive plans to effectively prepare for, respond to and recover from cyber threats. Amid a constantly evolving threat landscape, made even more complex by the global pandemic, protecting against data breaches requires building a road map to cyber resiliency. This way, organisations can ensure they are in the best position to safeguard sensitive information and continue to comply with data privacy regulation such as the GDPR.

 

  Read Less
May 25, 2021
Matt Lock
Technical Director
Varonis

The GDPR changed the way that companies collect and manage personal data forever. After a relatively slow start, it’s starting to bite hard.

 

In the past year, the number of fines has increased by more than one-third, amounting to a total of 158.5 million ($191.5 million). Google faced the biggest fine in GDPR history and was stung for €50 million ($56.6 million) following an appeal hearing in March 2020.

 

Enforcement of the GDPR took a while to ramp up, with data protection bodies like

.....Read More

The GDPR changed the way that companies collect and manage personal data forever. After a relatively slow start, it’s starting to bite hard.

 

In the past year, the number of fines has increased by more than one-third, amounting to a total of 158.5 million ($191.5 million). Google faced the biggest fine in GDPR history and was stung for €50 million ($56.6 million) following an appeal hearing in March 2020.

 

Enforcement of the GDPR took a while to ramp up, with data protection bodies like Britain’s ICO putting investigations on hold during the pandemic. But we’re now seeing increased enforcement action, which should remind organisations of their duties to keep data safe.

 

The past year has been something of a Wild West for data protection. When staff were sent home to work armed with a laptop and various collaboration tools, data security was often treated as secondary to convenience. This is an unsustainable situation and can lead to dangerous overexposure. Organisations must remember that there are consequences to making mistakes with data.

 

Expensive slip-ups are very easy to make, particularly in an era where sensitive data is stored in the cloud and accessible via vast numbers of endpoints in insecure settings.

 

The birthday of the GDPR will not be a happy occasion for organisations that fail to treat data carefully.

  Read Less
May 25, 2021
Chris Strand
Chief Compliance Officer
IntSights

GDPR has set the bar in terms of defining PII and providing the essential baseline for characterising information privacy and what the laws surrounding it should look like. When the GDPR came into force during the course of 2018, it was difficult to tell how severe of an impact the standard would have on businesses. However, with larger fines being handed out to those who are failing to comply with GDPR laws, it has proven itself to be a serious and substantial regulation.  

 

As soon as GDPR

.....Read More

GDPR has set the bar in terms of defining PII and providing the essential baseline for characterising information privacy and what the laws surrounding it should look like. When the GDPR came into force during the course of 2018, it was difficult to tell how severe of an impact the standard would have on businesses. However, with larger fines being handed out to those who are failing to comply with GDPR laws, it has proven itself to be a serious and substantial regulation.  

 

As soon as GDPR came into effect, and later when we saw those first fines being issued against organisations that had handled private consumer data incorrectly, there was a substantial shift in the perception of the importance of data privacy and protection. A number of jurisdictions took GDPR as an example to follow. It caused them to look not only at how to improve how they were protecting data, but also how they were going to redefine data protection. For example, around the same time as GDPR became official, many countries such as Canada and Australia made adjustments and created new sections to their privacy acts that had similar elements that were found within the GDPR.  

 

The past year has seen a tremendous growth of new data types introduced into the marketplace, such as the dramatic increase in personal health related data that has flooded the landscape. The risk of that data being used erroneously, exposed, or exploited, could trigger further refinement of the enforcement mechanisms used to measure and enforce penalties for violations of data use under the GDPR. While the ICO previously stated that they won’t be enforcing fines on those who are under financial strain due to the pandemic, the past year has certainly brought organisations who are incompliant into the limelight which is something the GDPR aimed to do at its inception in order for companies across Europe to take data privacy more seriously.

  Read Less
May 25, 2021
Stephen Bradford
SVP EMEA
SailPoint

When GDPR came into effect in 2018, it felt like a force for real change. The law compelled companies to pay closer attention and commit more strongly to protecting the privacy of their various stakeholders, including customers, employees and partners. Three years on, ensuring data privacy is fully accounted for in an organisation's overall cybersecurity strategy should be considered table-stakes.  

 

One way to do this is by ensuring a holistic security practice that considers all overlaps in

.....Read More

When GDPR came into effect in 2018, it felt like a force for real change. The law compelled companies to pay closer attention and commit more strongly to protecting the privacy of their various stakeholders, including customers, employees and partners. Three years on, ensuring data privacy is fully accounted for in an organisation's overall cybersecurity strategy should be considered table-stakes.  

 

One way to do this is by ensuring a holistic security practice that considers all overlaps in the various regulations we're all required to comply with today. To achieve the full visibility needed to be compliant with GDPR and other privacy regulation laws, organisations should focus on a few key identity security priorities, including locating personally identifiable information (PII), understanding who has access to it, and implementing and maintaining proper access controls for that data. Only then do you stand a chance at protecting your customers’ and your employees' data, and dodge becoming another news headline and a tally on the GDPR fine count.

  Read Less
May 25, 2021
Rayna Stamboliyska
Vice President of Governance and Public Affairs
YesWeHack

GDPR can broadly be defined as a success. It has provided unified guidelines for data processing, which means there is now one consistent set of rules that are easy to follow. In addition, the legislation has a core set of principles that all pertain to the rights and freedoms of individuals. Over time we have seen that EU residents are now more empowered and aware of the rights and protections afforded to them and are using this insight to understand and challenge how corporations are using

.....Read More

GDPR can broadly be defined as a success. It has provided unified guidelines for data processing, which means there is now one consistent set of rules that are easy to follow. In addition, the legislation has a core set of principles that all pertain to the rights and freedoms of individuals. Over time we have seen that EU residents are now more empowered and aware of the rights and protections afforded to them and are using this insight to understand and challenge how corporations are using their data.

 

One of the greatest challenges to further empowering GDPR’s key principles implementation is a sufficient funding for the 27 existing data protection authorities (DPAs). Those work to promote and protect the fundamental rights and freedoms GDPR aims to guarantee, through tracking and investigating breaches and other violations. The EU has taken action to improve on this issue, stating that it will help clarify procedural steps through the European Data Protection Board and ensure that each Member State provides their respective DPAs with the resources needed. We commend that commitment as it signals the EU’s continued support for the protection of the fundamental right to privacy.

 

Moreover, countries all over Asia and other parts of the world have been inspired by GDPR to adopting similar frameworks. The core set of principles engrained in the GDPR inspires others to promote better and clearer frameworks protecting individual rights and freedoms. The UK itself preserves GDPR’s key principles, rights and obligations, now that it is in the process of completing Brexit, within a distinct ‘UK GDPR’. This again demonstrates that even those who are not part of the EU, understand the promise it provides when it comes to data protection at large.

  Read Less
May 25, 2021
Adam Brady
Director, Systems Engineering, EMEA
Illumio

While initially slow-going in terms of clear impact; I think that understanding around GDPR, its implications, scope, and potential fines are mature enough now that it's a consideration unlikely to be missed by organisations or the public. One clear area I think that GDPR has been successful is at least some understanding by individuals that data about them is valuable - and needs to be protected. Pre-GDPR I think that this key aspect of life on the web was poorly understood on the whole. It

.....Read More

While initially slow-going in terms of clear impact; I think that understanding around GDPR, its implications, scope, and potential fines are mature enough now that it's a consideration unlikely to be missed by organisations or the public. One clear area I think that GDPR has been successful is at least some understanding by individuals that data about them is valuable - and needs to be protected. Pre-GDPR I think that this key aspect of life on the web was poorly understood on the whole. It took some time for real GDPR fines to start being applied at levels that meant something. By 2020 and into this year, we've seen significant fines in the $20million+ range for breaches and mid-handling of data. Potential for fines around data leakage have led to specifically US-based organisations to be far more careful around the services they offer to EU citizens. While still not comparable to the actual ransomware payments demanded in a lot of cases, the spectre of a €50million fine against Google is not to be trifled with.

 

That the appointment of a Data Protection Officer is demanded if a business handles personal data - I feel is a really important marker. Responsible for both internal education around data use, what constitutes personal data, and monitoring thereafter - I think the DPO is a very visible reminder of the real importance of data protection. It's not easy to ignore GDPR when a business works to identify and specify a person or people with oversight. I think consumers and businesses are becoming more aware of the data protection issue. Certainly, consumers understand what GDPR is to an extent, and I believe that the weighing up of data access for the use of "free" social media services is something that is increasingly given thought. Businesses are mandated to appoint a Data Protection Officer if they handle personal data; so there's a forcing of the hand there. As we've seen an increase in fine size and consistency of application since the introduction of GDPR - my belief is that the regulation is maturing well.

 

I feel that the next steps are that we will see more understanding of the "spirit" of the regulation, and hopefully some nuance in the application of the guidance and subsequent restrictions in service. That some firms outside of the EU prevent EU citizens accessing their services due to GDRP implications I think is a shame, and as the understanding and application of the GDPR matures I think we'll see some more comfort around it.

  Read Less
May 21, 2021
Oliver Cronk
Chief IT Architect, EMEA
Tanium

GDPR has now been in place for three years, but the ICO relaxed its enforcement of the law last year, meaning investigations and fines were temporarily reduced until organisations could recover from Covid-19. Since the announcement was made, it’s highly possible that GDPR compliance has become less of a focus for some organisations. When you combine this with the fact that many organisations have had their attention drawn to other priorities during the pandemic, I believe some oversights

.....Read More

GDPR has now been in place for three years, but the ICO relaxed its enforcement of the law last year, meaning investigations and fines were temporarily reduced until organisations could recover from Covid-19. Since the announcement was made, it’s highly possible that GDPR compliance has become less of a focus for some organisations. When you combine this with the fact that many organisations have had their attention drawn to other priorities during the pandemic, I believe some oversights could happen which will incur large GDPR fines over the next year or two.

 

It’s possible to minimise this risk. As Covid-19 restrictions continue to ease in many parts of the world, now is an opportune time for organisations to assess how they are operating to ensure any new processes or ways of working are fully GDPR compliant. To correctly follow the guidelines, enterprises should work with on their Data Protection Officers to provide support for the whole organisation. Particularly when new operating models and processes have had to be introduce overnight in many cases.

 

Examples of these changes are sectors such as hospitality which are now collecting more personal information from customers than ever due to new pandemic related processes, and it’s easy to fall into the trap of not clearly declaring what the data is being used for, how it’s being processed and how long it will be kept. Organisations need to make sure compliance for post pandemic processes aren’t overlooked or they may be in for nasty surprises such as fines in the future.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.