Experts Comments:
Joseph Carson, Chief Security Scientist & Advisory CISO at Thycotic:
It means that companies who are regulated by the GDPR have improved their cybersecurity capabilities – incident response has been one of the areas which companies have significantly improved. We have also recently seen the first fines under the GDPR given to several companies, mostly related to consent or data minimisation, though many of the major data breaches are still under investigation and we will likely see the fines increase throughout 2019 and beyond.
The GDPR is only the first step in helping regain control of personal information and the EU needs to continue improving. GDPR has been the founding regulation that other governments around the world are using as the standard for their own versions. For example, as the California Data Privacy Protection act, while not as strict, it is setting the new direction for protecting personal information and many others are following.
Mark Trinidad, Senior Technical Evangelist at Varonis:
Over the past year, one of the biggest adjustments organisations have had to make for the GDPR is giving greater consideration to the data in their possession. Suddenly, they had to identify and plan for at-risk and sensitive data, as well as care enough to understand where data is stored, how it is processed, and who has access to it.
While caring is the first step, data protection and security is a process, not a destination. With the GDPR, there has not been an “easy” button to push and many are still working to improve their GDPR practices. For example, companies are continuing to fall even farther behind in securing their data as the Varonis Data Risk Report found that, on average, 22% of folders are accessible to every employee. Discovering where all the sensitive at-risk data is stored and who has access to it can be eye-opening for organisations that did not care before. Therefore, implementing a comprehensive plan to mitigate risk can be an uphill battle if an organisation simply does not know where to begin.
The GDPR has acted as the first step to force global companies to change their thinking around data protection and the new California Consumer Privacy Act (CCPA) will be another when it comes into effect.
Carolyn Crandall, Chief Deception Officer at Attivo Networks:
Ian Bancroft, Vice President and General Manager EMEA at Secureworks:
“By holding organisations responsible, the regulation is reaffirming that businesses need to know their data, manage it, and build a strategy which protects every stakeholder from investors to the end user. Ultimately, regulations like GDPR are one of the key reasons behind the shifting role of traditionally non-strategic roles in the boardroom like the CFO, CTO and CSO. With the value of data growing exponentially, those who are directly responsible and impacted by data will increasingly find themselves consulted on how to use this asset effectively, and above all else, securely.”
Colin Truran, Principal Technology Strategist at Quest:
“As more and more businesses are now looking to cover their backs and demonstrate varying degrees of compliance to their users, this new era of data privacy awareness could be more than many businesses bargained for when regulators such as the Information Commissioner’s Office (ICO) comes knocking. The total fines to date are around €56 million – which you would initially think is a lot, but actually, almost all of it comes from French data watchdog CNIL’s €50m fine for Google.
“However, GDPR has not yet had that real wake up call that many thought it would. The fines to date have been well within budget, not insignificant, but not exactly life changing either. There is also a clear discrepancy between how data authorities in countries are applying it, so despite having a common set of rules it is not a level playing field. With all that said, it is still early days where most of the breaches occurred before the GDPR was ratified into law. Therefore, this year will be the decider if GDPR is an effective solution as it was intended or just another piece of bureaucracy that fails to have the desired effect.”
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.