Joseph Carson, Chief Security Scientist & Advisory CISO at Thycotic:
The EU GDPR has been positive for the Information Security industry as it has forced many companies to re-evaluate their cybersecurity posture and better understand the type of personal information they have been collecting on EU citizens.
It means that companies who are regulated by the GDPR have improved their cybersecurity capabilities – incident response has been one of the areas which companies have significantly improved. We have also recently seen the first fines under the GDPR given to several companies, mostly related to consent or data minimisation, though many of the major data breaches are still under investigation and we will likely see the fines increase throughout 2019 and beyond.
The GDPR is only the first step in helping regain control of personal information and the EU needs to continue improving. GDPR has been the founding regulation that other governments around the world are using as the standard for their own versions. For example, as the California Data Privacy Protection act, while not as strict, it is setting the new direction for protecting personal information and many others are following.
Mark Trinidad, Senior Technical Evangelist at Varonis:
Over the past year, one of the biggest adjustments organisations have had to make for the GDPR is giving greater consideration to the data in their possession. Suddenly, they had to identify and plan for at-risk and sensitive data, as well as care enough to understand where data is stored, how it is processed, and who has access to it.
While caring is the first step, data protection and security is a process, not a destination. With the GDPR, there has not been an “easy” button to push and many are still working to improve their GDPR practices. For example, companies are continuing to fall even farther behind in securing their data as the Varonis Data Risk Report found that, on average, 22% of folders are accessible to every employee. Discovering where all the sensitive at-risk data is stored and who has access to it can be eye-opening for organisations that did not care before. Therefore, implementing a comprehensive plan to mitigate risk can be an uphill battle if an organisation simply does not know where to begin.
The GDPR has acted as the first step to force global companies to change their thinking around data protection and the new California Consumer Privacy Act (CCPA) will be another when it comes into effect.
Carolyn Crandall, Chief Deception Officer at Attivo Networks:
Many organisations have been able to address Articles 32 and 25 of GDPR, but many still struggle with Article 33. Numerous organisations have difficulty identifying if an incident happened and if it happened, they have trouble modifying their strategy to report within 72 hours. Previous directives from the EU 95/46 made no specific mention of data breaches and GDPR now sets a clear directive as to what constitutes a data breach, how the incident is to be reported and the substantial penalties for not complying. This has required businesses to reassess their technology and processes in order to understand their ability to detect, audit, and report breaches in compliance with GDPR. Closing these gaps, in many cases, requires the adoption of new technology to ensure that the attack is not only detected but also understood in a way that can explain the magnitude of the breach and the corrective actions to contain it. Whether it be access to budget, skills shortages, or otherwise, a fair amount of organisations remain hard-pressed to comply with this article if faced with a breach today.
Ian Bancroft, Vice President and General Manager EMEA at Secureworks:
“One thing that has quickly become apparent is the complexity around GDPR. Over the past 12 months we have seen more customers seeking external expertise when it comes to security controls and best practises. Businesses have realised that for the majority, GDPR requires expertise, resources and understanding beyond internal capability. However, any regulation that puts security at the forefront of the business agenda is a good thing.”
“By holding organisations responsible, the regulation is reaffirming that businesses need to know their data, manage it, and build a strategy which protects every stakeholder from investors to the end user. Ultimately, regulations like GDPR are one of the key reasons behind the shifting role of traditionally non-strategic roles in the boardroom like the CFO, CTO and CSO. With the value of data growing exponentially, those who are directly responsible and impacted by data will increasingly find themselves consulted on how to use this asset effectively, and above all else, securely.”
Colin Truran, Principal Technology Strategist at Quest:
“As more and more businesses are now looking to cover their backs and demonstrate varying degrees of compliance to their users, this new era of data privacy awareness could be more than many businesses bargained for when regulators such as the Information Commissioner’s Office (ICO) comes knocking. The total fines to date are around €56 million – which you would initially think is a lot, but actually, almost all of it comes from French data watchdog CNIL’s €50m fine for Google.
“However, GDPR has not yet had that real wake up call that many thought it would. The fines to date have been well within budget, not insignificant, but not exactly life changing either. There is also a clear discrepancy between how data authorities in countries are applying it, so despite having a common set of rules it is not a level playing field. With all that said, it is still early days where most of the breaches occurred before the GDPR was ratified into law. Therefore, this year will be the decider if GDPR is an effective solution as it was intended or just another piece of bureaucracy that fails to have the desired effect.”