With the upcoming 1-year anniversary of GDPR, here are collected insights from 13 industry experts:
Great turnout for this mornings “GDPR one year on” event do-hosted with @HayesSolicitors Laura Fanning giving a great overview of practical applications of #GDPR and busting some myths around marketing.
— Briain Ó hEoghanáin (Brian Honan) #BLM He/Him (@BrianHonan) May 16, 2019
Experts Comments:
Colin Bastable, CEO at Lucy Security:
“From a channel perspective, GDPR has created a whole new class of consultancy, with a significant stream of revenue, not just in the USA but globally. This is because the legislation has real teeth, is sufficiently vague to allow for multiple interpretations and applies to anyone doing business with the EU. Most US organizations now know that GDPR exists and ask for advice and training, so GDPR is now a common term, like PCI and HIPAA.
Has it changed in how companies do business in the U.S. and how has it affected consumers? From the rampant abuse of consumer data privacy and the ongoing tsunami of phishing-led data theft in the USA, one would conclude “not a lot.”
GDPR is seen as an EU thing here in the USA. Legislatively, The USA works very differently to the EU. In the EU, the unelected Commission “proposes” regulations which are handed down to the subject countries (like Moses receiving the tablets) after “debate”. Most privacy regulation in the USA is driven from the States, as it is easier to get legislation passed at State level, and eventually laws percolate upwards to DC. The ineptitude of FaceBook, Google, Equifax and others, combined with the current 2020 election cycle, where politicians see an opportunity to raise funds or create platforms, has had more impact on the drive for consumer protection than GDPR.
Data leaks still happen, databases are unencrypted, passwords unchanged, so GDPR is an incremental development with little immediate impact on the actual problem of cyber insecurity. Some businesses, however, are starting to seriously audit their data and reduce their exposure. Most businesses still assume that someone else will be hit, and that hackers don’t know or care about them. We know how that ends.”
Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi:
“For security professionals, on a day-to-day basis, GDPR brought few changes. Large organizations were already engaged in many GDPR requirements, and most of the changes have been procedural for smaller organizations. The biggest impact of GDPR has been not in European capitals, but in Washington, Palo Alto, Sydney and beyond. Privacy is now a popular topic with both politicians and technology CEOs, this is a credit this to the rise of GDPR.
Organizations are seeing demands for greater privacy, which means the use of machine identities – like TLS digital certificates – is on the rise. Machine identities create encrypted and private communication, but the increase has stressed some organizations, leading to unplanned outages. There will be longer term the challenges as well. Cloud, AI and DevOps usage is exploding, which means were seeing more applications and data collected in places that are decentralized and easier to hide. We must make sure user data is not forgotten.
As expected, enforcement has started slowly and without any debilitating fines. But, this can change, especially for non-European businesses. GDPR is creating debate and political action well beyond European Union states. This trend shows no sign of changing for the next few years.”
Jonathan Deveaux, Head of Enterprise Data Protection at comforte AG:
“What is the impact of GDPR on the U.S. one year after it came into force? One way to answer this question is to look at the type of company or organization who have or maintain personal info. The US Healthcare industry was less impacted by the GDPR because most of the patients in their care are based in the US. For other organizations who have an international presence, especially in Europe, they were most likely already doing something about data privacy, since there were existing regulations in Europe for some time.
GDPR ‘raised the bar’ of consciousness for data privacy with many US companies, as it required them to take a closer look at their data, how they are using it and where it is. With the threat of such large fines for non-compliance and the example of Google paying a fine of over $56 million, companies in the US are starting to realize that managing personal data from customers requires a deeper effort than before. Customers were initially affected when they accessed websites, as a pop-up window describing the privacy policy is something that almost all websites show customers initially.
GDPR put privacy controls in the hands of the consumer, rather than in the hands of a business or government. As a result, GDPR has become the blueprint for many other privacy laws coming out in the US, which took those principals and built laws around protecting consumer privacy in their state. The California Consumer Privacy Act (CCPA) is a prime example. There is even talk now of the possibility of a Federal Data Privacy Law in the works.
It has forced the legal and security departments within companies to work more closely together. If you take a look at many companies in the US, five years ago, many companies didn’t even have a CISO. And then when the CISO role became prominent, the main factor was what level of acceptable risk is the company – the Board of Directors – willing to accept. Now, with the introduction of the GDPR, the question includes a legal aspect.”
Tom Garrubba, Senior Director and CISO at The Santa Fe Group:
“GDPR is not much on the minds of risk leaders today. The common theme is this: if you’re a mature organization then you’ve most likely took the time and built privacy “by design” into your risk structure, that is; you’ve found the right people, developed appropriate privacy processes, procedures, linkages, and you’re able to track all points of your customer data internally and externally. Conversely, this causes headaches for many of these companies as they are now afraid of sharing any customer data externally and even internally.
However, there are some organizations who either have done nothing, done very little, or are still taking their time to be in compliance to GDPR. The primary reason for this: these organizations have yet to see any fines associated with a privacy breach (in other words; where’s the proverbial ‘stick’?). Until they see actual fines being levied upon “like” organizations, they’re not going to spend the time and effort to comply to GDPR.”
Dov Goldman, Director of Risk & Compliance at Panorays:
“Besides the complaints filed against the obvious suspects like Google, Facebook and Instagram, we’ve definitely seen a number of changes to how companies ensure data privacy. These changes include consents for pop-ups, updated privacy policies and more tools enabling user control. That being said, these changes have primarily been limited surface treatment, and much less of the extensive “privacy by design” envisioned by the regulators.
Many companies have gone through the first phase of assessing their GDPR compliance; they’ve undergone a gap assessment. Where needed, some have performed a DPIA or “Data Protection Impact Assessment,” a more detailed review of the technical and organizational capabilities to ensure privacy for customers or employees. These efforts have led firms to update privacy policies and implement tools to enable user control over their personal data.
Few companies, however, have dealt effectively with some of the thorniest issues, including the accountability demanded by the regulation (articles 28 and 30) with regard to third-party data processors.
My predictions for “Year 2 of GDPR” are one, the number of staff at Data Protection Commissions in EU member states has grown significantly; therefore, we can expect greater enforcement as a result. Two, growing consumer awareness will mean that the market will begin to demand privacy by design, and people will ultimately shift their business to companies that respect their privacy. High-profile enforcement and big fines against large, well-heeled tech companies may be exciting news, but an educated and demanding consumer may ultimately prove to be the most significant impact of GDPR.
As Data Protection Officers dig in, they will become more aware of the risk their third-party data processors expose them to. In a world where outsourcing is growing by leaps and bounds, third-party data processors may very well represent the lion’s share of any company’s privacy risk. For this reason, managing third-party security will become even more of a priority for businesses.”
Mike Jordan, Senior Director at The Shared Assessments Program:
“GDPR was a wake-up call far beyond Europe as companies in the US needed to consider a lot of questions they hadn’t before. When I was at a US-based global manufacturing firm, first it seemed like no big deal since we had few European business units. But once we started poking around, we realized it needed very thoughtful consideration. Discussions quickly developed beyond just talk of compliance. Enterprise strategy had to be refined around Privacy, shifting consumer perceptions, and even considerations about doing business in Europe at all. Those impactful discussions came from a regulation that otherwise affected our company relatively little.
This same regulation also set a de facto standard for Privacy well beyond its scope. By making the decision to comply with GDPR, organizations made the decision to model their programs around the strictest Privacy requirements around, and this certainly moved the needle in improving Privacy practices.
Given the massive impact of GDPR, members of our third party risk management association use a toolkit to help them manage the GDPR requirements of their third parties. The free toolkit helped many organizations get compliant, and also helped them hone their processes for managing Privacy risk in general. Because GDPR is the most stringent set of Privacy requirements, the GDPR Privacy Tools became suitable for far more than just GDPR-related work. Nearly any third party privacy due diligence requirements can be addressed using the tools, including assessing Private Health Information and Consumer Privacy controls. We are working on expanding requirement checklists into other areas like the California Consumer Privacy Act (CCPA) as well, which owes much of its existence to GDPR’s impact.”
Willy Leichter, VP at Virsec:
“In many ways, the leadup to the GDPR going live last year felt like Y2K – a global scramble to get ready, causing lots of uncertainty. But when the ball dropped, it seemed like nothing happened, and little enforcement has been apparent. But given the slow, deliberate pace of EU bureaucracy, after the first year, we’re probably just getting started. Enforcement actions by European data privacy authorities prior to the GDPR averaged over 330 days, so it seems likely that some big wake-up-call penalties are on their way.
The other tangible effect of the GDPR has been on prompting other countries and states to consider enacting similar regulations. California (which enacted the first breach notification law more than 15 years ago) has already passed a consumer data privacy act modeled after the GDPR, and other states and the US government are likely to follow to varying degrees.”
Pankaj Parekh, Chief Product and Strategy Officer at SecurityFirst:
“In the last 12 months, almost every enterprise customer we visited was motivated by a GDPR compliance discussion. While it seems that big enterprises have put some GDPR compliance practices in place and are protecting part of their data, midsize companies are now asking similar questions. Also, the big companies who have initially deployed some security solutions for GDPR compliance are asking questions about continuous data protection and security that follows the protected data.
Most companies have made progress as far as check-box consent (as long as they are not pre-checked boxes), but the areas they are struggling with the most are the requirements for the “processing of personal data” and the “security of processing”. They must understand how personal data is processed and implement the security measures to make sure data is secure and monitored at all times. And they must handle their customers’ wishes: only process data as authorized by the user, with access based upon processing role or function, only for the purpose the data was collected and only for the time needed per function or upon the user’s delete/forget request. While GDPR is seen as a privacy law, you truly cannot have privacy without data security.
Compliance and enforcement of GDPR are just getting started. Companies haven’t yet understood the full extent of GDPR. Also implementation of “right to forget” has not been thought through thoroughly in the enterprise yet.
GDPR has great influence on almost every privacy law. Some are more strict in their reach and enforcement than others like CCPA. As GDPR enforcement starts to trickle down to small to mid-size businesses, the automation and scale requirements will change as well along the way. Not only has GDPR had impact on privacy laws, but it is also starting to impact other parallel standards body organizations, like creating draft proposals for protecting the data integrity and privacy through the supply chain.”
Laurence Pitt, Security Strategy Director at Juniper Networks:
“The biggest difference since the introduction of GDPR is that data is now part of every conversation. Understanding what data is being captured, stored and processed is often a business priority and one that is shared through the business, from the IT team setting up policies and security measures to retail workers needing to get permission from customers signing up for loyalty cards. The GDPR has made the world sit up and listen, as other countries have started to implement their own versions (Brazil, Singapore, Australia, Philippines, even the U.S.). While the GDPR is still the only regulation to be implemented with a global reach that will very likely change in the coming years.
We also know that many business are not 100% compliant and are working hard on this. Across the board, I have seen a willingness for enterprises to discuss their journey to GDPR compliance as well as share information on successes and challenges, which is a very positive development in our industry. Ultimately, we’re going to see more data breaches in the coming year, some targeted against very visible data-holding organizations, so it’s now more important than ever for businesses to be ready to respond for when, not if, they’re attacked.”
Paul Russert, VP at SecurityFirst:
“The biggest operational impact has probably been the requirement in Article 5 for “data minimization”, as it forces companies to figure out what data they already have, why it was collected and if it is still needed. In what seems to be a honeymoon period, the data protection authorities in the EU seem to be more focused on companies making corrections to comply going forward and assessing smaller fines rather than set a grand example by levying large fines at the defined maximum levels of €20,000 or 4% of revenue.
The California Consumer Protection Act was accelerated due to the highly publicized misuse of personal information by Cambridge Analytica more so than GDPR. CCPA focused mainly on the online collection and management of consumer personal data for business applications. Where you see more of an influence of GDPR is in the Brazil General Data protection regulation and proposed legislation in countries that do a lot of trade with the EU, (including the US which already has the Privacy Shield in place) to help meet the GDPR’s “suitable level of data protection on the basis of an adequacy decision” and make data transfer easier with EU countries.”
Ryan Tully, VP of Product Strategy at STEALTHbits Technologies:
“One year later and the ripples of the GDPR are being felt globally – perhaps nowhere more so than the United States. The GDPR is a clear influencer of the California Consumer Privacy Act due to launch in 2020, with more regulations being discussed across the country.
One area that the GDPR advocated was “Privacy by Design”. Suddenly organizations had to shift to ensure data was protected in multiple layers or else risk real repercussions from the breach or loss of data. While not all organizations are there yet, the concept of controlling and securing data is more ubiquitous than ever before. Granting the ability to request all collected personal data or to have it purged is a massive shift of power to the consumer.
While data breaches still remain a common topic in the news, the impacts of the GDPR and subsequent domestic regulations that come as a result of those should truly give people transparency and control over their personal information, one regulation at a time.”
Christian Vezina, Chief Information Security Officer at OneSpan:
“Over the past few years we have seen an increase in vendor oversight regulatory requirements. This is partly due to the number of data breaches and security incidents involving third party service providers. Organizations have implemented more comprehensive vendor due diligence programs. Regulations such as the GDPR have put even stricter due diligence requirements on organizations, especially around vendors’ ability to meet applicable privacy compliance obligations. Privacy is starting to be an important part of standard vendor assessment processes. Service organizations having a higher level of privacy maturity will benefit from a shortened sales cycle, as they will be in a position not only to demonstrate their compliance, but to assist their customers in meeting their own compliance obligations.
The heavy fines that can be imposed by Data Protection Authorities under the GDPR are meant to be dissuasive. Organizations are taking note that the regulators mean business. Data breaches happen, but how organizations react, and how fast they notify their DPA, will directly impact the fines, if any, they will be imposed upon them. Organizations will not want to be hit with additional penalties for missing the 72 hours reporting deadline. Although there may not actually be more data breaches, more breaches are more likely to be reported.”
George Wrenn, CEO at CyberSaint Security:
“Starting a year ago and even before during its development, the General Data Protection Regulation forced organizations both within the EU and abroad to consider the impacts of data privacy and protection – both positive and negative. Bringing these concerns to light created a movement fostered by EU citizens, in partnership with regulatory bodies, as well as the private sector. It has been a true collaboration in the right direction and its effects have overflowed into other regulations in non-EU regions such as the US’s California and others.
Firstly, the GDPR has fundamentally changed the way that we as businesses bring solutions to market. Maintaining the integrity of our data protection and privacy program means that we cannot simply bombard databases with unsolicited information anymore, we have to thoughtfully curate a message, value proposition, and outreach that is both authentic and thoughtful, with the recipient’s desires and preferences in mind, in order to have them opt in to receiving information from us. Secondly, maintaining this integrity means that we have to prioritize the security and privacy of the consumer as our number one concern. This is long overdue as the number of data breaches is quickly increasing year over year, and there needs to be a standard set of best practices to both maintain our businesses reputation and keep consumers safe – two ideas that are fundamentally entwined. Although some businesses may consider the GDPR requirements to be a difficult change, I believe that transparency, personalization and security and privacy should have been the foundation of organization’s go to market strategies long before the GDPR. This regulation raises the bar for how we as businesses treat the modern consumer.
The GDPR has certainly spurred more conversation in the United States around data privacy and protection. The NIST Privacy Framework has grown a massive following and is highly anticipated in part I would argue because of the GDPR movement. California has instantiated privacy laws, and many other states are planning on following suit. Data privacy and protection has become a federal and state issue in the US and only continues to grow momentum.
I believe that this regulation’s development is an interesting example of collaboration much like the NIST Cybersecurity Framework’s development, which my team and I had a part in as well. It was a good example of public, private, and citizen partnership, and there was momentum growing from all three segments, for a variety of reasons, that seemed to foster communication and collaboration that I hope continues when developing new regulations like the GDPR.”
Jake Olcott, VP of Government Affairs at BitSight:
GDPR has brought executive-level focus to cyber risk, including risk posed by third party “data processors.” Given the vast amount of outsourcing, gaining real-time insight into the cybersecurity and data handling practices of these data processors – which can sometimes number in the hundreds or thousands – presents the greatest challenge that companies will be dealing with today and in the future.
GDPR may be positively contributing to measurable improvements in the security posture of European companies. BitSight continuously collects cybersecurity performance data on over 180,000 companies across the globe. This massive data set — well over 150 billion events collected on a daily basis — includes infections, machine compromises, and vulnerabilities resident within organisations. BitSight compiles data from these organisations to create continental security insights.
Since GDPR was adopted last year, BitSight has observed security performance improvement among European organisations. This steady performance is in contrast to the security performance of organisations in other continents, where performance is significantly lower – and in some cases, has actually declined over the year. Since 1st May 2018, European organisation security performance improved 1.8% over the year, while cybersecurity performance across other continents has generally worsened. Africa (-1.3%), the Middle East (-0.7%), North America (-0.4%), and Oceania (-3%) all worsened over the year, while Asia (0.4%) improved slightly. Only South America improved more significantly (2.4%).
Of note, European organisations have done a far better job than their international peers in implementing stronger controls to reduce Internet exposed services (open ports). As of 1st May 2019, European effectiveness in securing open ports was nearly 100 points higher (672) than the next continent, Oceania (588), and 108 points higher than North America (564).
Martin Warren, Cloud Solutions Manager, EMEA at NetApp:
“Hefty fines and reputational damage haunted businesses in the build up to the passing of the General Data Protection Regulation. We all know by now that data security and privacy are in fact two different, complementary issues and with the number of data breaches racking up this year, we are facing the evolving reality of data security in a world where we essentially live digital-first lives. In a world in which our data and its privacy is paramount, data security ensures the front door is bolted shut, data privacy meanwhile requires data management processes with privacy-by-design at its core.
While data security is certainly important for businesses, encryption and data masking will not help a business become GDPR compliant. Equally, it does not help companies if they secure data they are not legally allowed to have. Therefore, GDPR is not just an IT issue. The compliance process needs to be led from the C-suite down, as a legal and business concern before a technology one – we might have hoped that this massive shift in mindset would be more evident almost a year on.
Large-scale data breaches, from trusted companies are now perceived with more clarity by consumers, who are now awake and more aware of their data rights. This only makes the reputational risks of non-compliance more significant.”
John O’Keeffe, VP of EMEA at Looker:
“Despite the GDPR now being in full force, many are still on the journey to compliance. Getting to a place where you’re confident there’s no data sprawl, everyone’s singing from the same data ‘hymn sheet’ and there’s one single source of truth has been – and still is – a significant challenge for many enterprises.
“With access to data storage becoming so inexpensive, easy and accessible in recent years, the instinct has been for businesses to hoard any and all data they can get their hands on. In many cases, this has generated results in the form of new insights that never would have been uncovered otherwise.
“However, this has also resulted in businesses housing huge volumes of data, some of which isn’t being used at all, and the rest of which is often duplicated across many locations. With that in mind, it has never been more important for organisations to review their data handling and security processes regularly, ensuring policies and processes put in place prior to 25th May 2018 are still being carried out properly.
“While still a business challenge, GDPR should be viewed as just another market condition, and shouldn’t be seen as a barrier to creating a data-driven culture across an organisation. Rather, it should be positioned as a regulation driving data empowerment, so long as there is tech in place to enable compliant practices.”
Chris Hodson, Chief Information Security Officer, EMEA at Tanium:
“GDPR has emerged as a regulatory model for the rest of the world and acted as a catalyst for other countries to introduce more robust privacy measures. For example, Norway, Iceland and Liechtenstein have adopted GDPR by proxy as EEA members. Further afield, California has introduced its own Consumer Privacy Act and the EU has accepted the adequacy of Japan’s Amended Act on the Protection of Personal Information (APPI) legislation under GDPR, allowing the free flow of information between the two regions. Although privacy regulation is still evolving, it’s encouraging to see governments around the world building on GDPR by addressing the widespread availability and abuse of individuals’ personal information with regulations that carry severe penalties.
“To address GDPR requirements, enterprises need to respond to access requests, portability requirements, right to be forgotten requests, and other regulatory components that require knowing what your data is, where it is, who is accessing it and why. While this should be a priority, resources can be scarce in an enterprise environment and risk remediation can fall low on the priority list, meaning companies are forced to make priority calls with the skills at their disposal. In fact, our recent research showed that 94% of CIOs and CISOs have made trade-offs among core elements of security hygiene and IT operations effectiveness, including when it comes to critical application updates and patches.
“With a large percentage of breaches tied in some way to a lack of security hygiene, it is crucial that cybersecurity and IT operations teams work together to understand where data exists in their organisation, how it being used and how it is being protected. Enterprises must ensure they can locate, manage and categorise data across all computing devices. After all, IT security starts with visibility – you can’t protect what you can’t see – and organisations need a strong handle on their compliance practices to ensure they are effectively managing and handling sensitive data.”
Cindy Provin, CEO at nCipher Security:
“Since the GDPR came into force, we’ve seen a variety of breaches and fines occur, ranging from large, established organisations such as Google, Facebook, Uber and Marriott, to smaller organisations. With over 200,000 cases reported across Europe, the introduction of the GDPR has shown us that no organisation using the personal data of EU citizens can avoid compliance and accountability.
Before it took effect, much of the GDPR-related focus was placed on the potential fines and penalties associated with data breaches and a lack of compliance.
The reality is that this regulation – as well as future data protection laws – should be seen as a positive step in the battle to prevent data misuse. These regulations are not designed to discourage the use of data, but to provide consumers with reassurance that their personal information is in safe hands. They also encourage businesses to follow best practice when it comes to control and governance, two traits that cannot be overlooked in today’s modern cyber landscape.
The future of data protection means a commitment to accountability. If organisations wish to use data to gain a competitive edge, they must be prepared to take responsibility for its use and protection. It also means a commitment to transparency. Transparency in telling customers how their data is being collected and used and transparency when it comes to disclosing the scale and affected parties if a data breach does occur.
The GDPR marks a new era in the way that businesses think about data. And it’s about time. After all, we now live in a digital economy and data is any business’s most important asset, regardless of size or sector.”
Sarah Armstrong Smith, Head of Continuity & Resilience at Fujitsu:
“We live in an age when trust is increasingly top-of-mind, and this will only get more heightened as technology becomes more commonplace and pivotal to everyday life. GDPR helps cement a responsible attitude towards data and privacy across all industries.
“Compared to five or six years ago, I’ve seen a real change in how companies use data: before, businesses were gathering all the data available with a view to how they could improve their business model by tracking and profiling customers to leverage this information, in the form of data analytics. One year after GDPR came into force, businesses are considering the legitimacy of data holdings and taking steps to process this in a lawful way. It’s by no means perfect, but it’s positive to see that organisations are making a concerted effort to improve their data governance.
“To this day, the most positive outcome from the implementation of GDPR is increased protection of individual rights and enabling trust. Just as mistrust and the misuse of data brought GDPR to the forefront, it’s implementation and the process that every organisation went through leading up to May 2018, helped to create a relationship of trust between consumers, businesses and regulators. Having this transparency and understanding how data is being used and even how algorithms are applied, has not only improved security, but also brought to the forefront questions around morality and ethics.”
Sarah Whipp, CMO and Head of Go to Market Strategy at Callsign:
“Despite GDPR being brought in to modernise laws that protect the personal information of individuals, a year on since the introduction of GDPR some organisations are finding that the regulation may have inadvertently created a security vulnerability. GDPR and other “privacy by design” laws, built to empower individuals to have greater control over their data and protect their identities, have actually opened loopholes that cybercriminals can easily take advantage of to gain access to valuable (and personal) data without people ever knowing about it.
“If we breakdown what GDPR really means, the term “data protection” may be a bit of a misnomer. The reason being that the legislation doesn’t “protect” data, it just creates a more transparent system. Perhaps a more appropriate acronym would be “GDTR”? Under the guidelines, organisations are encouraged to hand over data quickly without charging the data subject. But the real issue is proving the person requesting the info is really who they say they are.
“From our experience this could manifest itself as follows: The organisation holding your data being targeted – like a healthcare company or a financial institution – gets a request from an individual, they assume is you, for their data. But before they turn over the data, they must verify the individual is actually you. Unfortunately, cybercriminals have caught onto this and proved its quite easy to mimic a person by easily answering common security questions (in our oversharing age, much of this data is out there on social networks). They have even been successful using more advanced techniques that easily crack 2FA that can be easily bypassed or be duped using SIM-swap or call-divert fraud. By exploiting this loophole and some digital trickery, the fraudster convinces the organisation they are actually you and the organisation releases the data. From their perspective they have acted as described and recommended in the law and are none-the-wiser, yet they just handed over a customer’s financial data or health history or other information that can be easily sold on the black market.
“The loophole remains because while the regulation does advise to check identity, it doesn’t mandate how, leading for interpretation and therefore vulnerability. However, there are ways of using behavioural biometrics and AI to detect anomalies to ensure people are who they say they are, so that organisations don’t inadvertently reveal information that could land them in hot water.”
David Kemp, Business Strategist, Security, Risk and Governance at Micro Focus:
“On 25th May 2019, the world will note, rather than celebrate, the first anniversary of the EU GDPR. While its conception was timely and necessary given modern-day data explosion and the surge of social media, many businesses have been slow off the mark to comply with the regulation. On the one side, companies were not prepared and on the other side, it could not be suitably enforced due to the limited resources allocated to regulators. Unfortunately, in the run up to the GDPR’s one year milestone, surprisingly large corporations and government agencies are still at an early stage of compliance.
“However, despite the slow start we’ll begin to see a major drive from organisations to achieve data privacy compliance, not only within the EU but worldwide. This push will be a result of regulators now possessing sufficient manpower to achieve demonstrable enforcement – as we’ve already seen with Google’s £44m GDPR fine in January 2019. And parallel legislation in the form of the California Consumer Privacy Act 2018 coming into force in 2020, as well similar regulation across APAC, will undoubtedly increase pressure. In the UK, the Information Commissioner’s Office, as DPA, has further raised the stakes by now achieving jail sentences under the Computer Misuse Act – meaning that the risk of non-compliance is now a matter of deprivation of liberty, not just fines.
“As more sanctions and data privacy-focused headlines emerge, individuals will increasingly recognise their right to data privacy – and ability to hold businesses to account for negligence. Put simply, companies can no longer afford to ignore the GDPR or its parallel peer nation data privacy legislation.”
Matt Eckersall, Regional Director, EMEA West at SUSE:
“Data privacy and data storage are intrinsically linked. While data privacy has always been a priority for storage providers, the GDPR has brought this into sharper focus over the last year or so. With the correct storage infrastructure in place, companies can achieve regulatory compliance and ensure customer trust in their brand is not damaged by either cybersecurity concerns or a lack of transparency around data storage and use.
“Both the GDPR and data explosion have resulted in an increasing business need for agile, cost-effective, scalable storage solutions which can help the organisation to grow, compete and survive – and achieve compliance with data protection regulation. While data privacy cannot be addressed with a single silver bullet, storage is a good place to start. One year after the GDPR came into force, businesses need to be considering their storage infrastructure as part of their compliance check process – or risk falling foul of the regulation.”
Simon Wood, Group CEO at Ubisecure:
“The implementation of the GDPR saw the introduction of the most substantial privacy legislation globally. However, I observed that while companies were rushing this time last year to achieve basic compliance, regulators were in a similar state of ‘lack of readiness’ – and actually facing much less pressure to be prepared. So despite the initial noise created around the regulation coming into force, the traction we’re seeing now is comparatively small.
“While fines have already been issued, these have been relatively minor in contrast to the 2018 threat of 4% of turnover. That said, I suspect the first real surge in non-compliance fines will trigger the next round of deeper implementation.
“There is a logical parallel here with the iterations of regulations in the payment industry – PCI DSS first, followed by PSD2. In some senses, the GDPR could be described as the second wave of privacy as all EU countries had local regulation prior to last year. But looking ahead, the GDPR is really only the beginning. I would suggest that all organisations should ensure good privacy practice because the real second wave of privacy – and therefore the real test – is yet to come.”
Janet de Guzman, Senior Director, Industry Marketing and Compliance Group at OpenText:
“With the first anniversary of Europe’s General Data Protection Regulation (GDPR) coming later this month, you may have assumed the state of data privacy would be incredibly different compared to this time last year. One year later, we have seen examples of high profile data breaches, but we have not yet seen European authorities use their new regulatory powers to impose the maximum penalties on multinational companies falling foul of the GDPR.
“However, while companies continue to collect massive amounts of data, this past year has marked a turning point in data privacy policy. Companies worldwide raced to make the May 2018 deadline. Regulators in Europe hired additional staff and began to test the impact of enforcing new policies. Countries beyond Europe, such as Nigeria and Japan, advanced regulations that mirror the GDPR. Furthermore, the D9 is leading the development of an open government that has data privacy at its core. One D9 member, Estonia, has even opened the world’s first data embassy to give the data it holds diplomatic status.
“More generally, there has been growing awareness around how organisations capture and process personal data. Yet, businesses from all sectors are still having difficulty complying with a critical parts of GDPR. Requirements like 72-hour notification of a breach and the fact that consumers can request copies of the data companies have about them have been especially challenging. To overcome these issues in the year ahead, organisations must transition from data owner to data custodian.
“This requires organisations to determine what personal data they have, where and how it’s stored and processed, who uses it, what it’s used for and why, and whether they have the right consent from a specific individual. Discovery consulting services can help to find and identify this information and an enterprise information management (EIM) platform is indispensable for compliant management of the data and processes associated with it. This visibility will be essential in the second year of GDPR enforcement if businesses are to achieve compliance status and avoid potentially huge penalties for regulatory infringement.”
Alberto Pan, CTO at Denodo:
“The European Data Protection Regulation is going in the right direction to guarantee the rights of users, but I think that the legislator underestimated the technical complexity of implementing the regulations. In large companies, personal data is usually distributed across multiple repositories, both locally and in the cloud, which poses an integration problem. Traditional data integration techniques are based on making even more copies of the data, which exacerbates the problem. Therefore, analysts such as Gartner and Forrester are recommending logical architectures based on data virtualization. These technologies provide a central point to access, integrate and govern the data without needing to replicate them, facilitating compliance with the requirements of the GDPR.”
Cindy Provin, CEO at nCipher Security:
“Since the GDPR came into force, we’ve seen a variety of breaches and fines occur, ranging from large, established organisations such as Google, Facebook, Uber and Marriott, to smaller organisations. With over 200,000 cases reported across Europe, the introduction of the GDPR has shown us that no organisation using the personal data of EU citizens can avoid compliance and accountability.
Before it took effect, much of the GDPR-related focus was placed on the potential fines and penalties associated with data breaches and a lack of compliance.
The reality is that this regulation – as well as future data protection laws – should be seen as a positive step in the battle to prevent data misuse. These regulations are not designed to discourage the use of data, but to provide consumers with reassurance that their personal information is in safe hands. They also encourage businesses to follow best practice when it comes to control and governance, two traits that cannot be overlooked in today’s modern cyber landscape.
The future of data protection means a commitment to accountability. If organisations wish to use data to gain a competitive edge, they must be prepared to take responsibility for its use and protection. It also means a commitment to transparency. Transparency in telling customers how their data is being collected and used and transparency when it comes to disclosing the scale and affected parties if a data breach does occur.
The GDPR marks a new era in the way that businesses think about data. And it’s about time. After all, we now live in a digital economy and data is any business’s most important asset, regardless of size or sector.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.