The third anniversary of the introduction of the EU-wide General Data Protection Regulation (GDPR) takes place today, May 25th. It comes as a timely reminder to all of us about the importance of data privacy as an increasing number of cyberattacks continue to take place.
In an environment increasingly relying on the processing of data, the GDPR ensures that citizens have more control over their personal data and sets at the same time a framework for trustworthy innovation. GDPR is a cornerstone of the European digital transition.
3 years since rolling out in May 2018, there have been 661 GDPR fines issued by European data protection authorities. Every one of the 28 EU nations, plus the United Kingdom, has issued at least one GDPR fine. A GDPR tracking dashboard from Privacy Affairs displays official data from national data protection bodies to monitor the status of GDPR fines.
During this anniversary period, a few industry experts are offering up their thoughts to VMblog readers.
##
Anna Larkina, Kaspersky security researcher at Kaspersky
"GDPR was a very important step towards transparency of
how companies and services collect and use user data. Thanks to GDPR, we see
what companies collect about us and why they do it. Most importantly, many
users around the world received various rights, in particular, the right to
access and delete collected data (in accordance with the Chapter 3 "Rights of
the data subject ").
Despite the fact that the GDPR essentially applies only
to users from the EU, many companies have adopted a transparency policy regarding
the data they collect, have integrated the ability for users to manage the
information they collect into their services, and some have extended the user
rights specified in the GDPR to everyone regardless of their jurisdiction.
Even if the user is not under the jurisdiction of the
GDPR, thanks to this law being present in the Privacy Policy, you can almost
always see what is being collected about you, with whom it is shared and how it
used. Nevertheless, not all global companies, and especially local companies
(even if they target users from other countries, in particular from the EU),
are ready to fully comply with the GDPR, which is unfortunate.
Still, we shouldn't underestimate the impact of GDPR on
the whole world. Thanks to this law, many people have opened their eyes to the
fact that we still pay for free services with our data, how and why this data
is collected and, previously a completely gray area has become much more
transparent, while users now have more rights.
Congratulations on the 3rd anniversary, GDPR! We still
have a lot to do to make users around the world feel confident, so that
everyone has right to and control over their data. Thank you for setting a
great example and changing the world for the better."
--
Andy Syrewicze, Technical Evangelist at Altaro, Part of Hornetsecurity Group
"GDRP (General Data Protection Regulation), like most regulatory laws, has been the world’s response to an increasingly digital society. Given the increased digital workplace due to the COVID-19 pandemic, even more of our lives (professional and personal) are stored online these days, and it’s more important than ever for organizations to be aware if GDPR applies to them or not. Even if you’re not an EU-based company you may still be responsible for data that falls under GDPR guidelines.
For example, if you do business with an organization that is in the EU or even if you do business with an organization that is NOT in the EU but has EU-based customers themselves, you MUST adhere to GDPR guidelines. In my experience this situation is what most often comes as a surprise to organizations starting to grapple with GDPR.
Organizations can best prepare themselves, by understanding the regulations and also learning about what tools they have at their disposal for helping them stay GDPR compliant. This includes things like geographically controlled offsite data storage for backups and EU-based cloud services like those offered by Microsoft Azure. Leveraging these tools will help organizations continue to stay GDPR compliant while providing a high degree of support to customers and business partners moving forward.”
--
Jennifer Glasgow,
EVP, Policy & Compliance, First
Orion
"We
are approaching the third anniversary of the enactment of GDPR (General Data
Protection Regulation). While originally intended to protect the information of
EU residents, we've seen GDPR become the model for privacy and data protection
legislation on a global scale. We are global citizens, and so too is our
information. No matter where an organization is based, we must ensure that all
cross-border-data transfers don't weaken protection of personal data. Once GDPR
was rolled out in Europe, we saw elements of GDPR come into play in the U.S.,
with CCPA (California Consumer Privacy Act) and in other countries around the
world. We are also beginning to understand the law's weaknesses. Global
dialogues suggest that a stronger accountability-based approach allows more
innovation with data, something business and government alike want. As many
U.S. states pass privacy laws and pressure rises for a single federal standard,
2021 will be a pivotal year in the U.S., the EU, and around the world in the
evolution of privacy and data protection laws. It remains to be seen if we can
break some glass and take the big leap to a different construct that protects
individuals while encouraging innovation with data."
--
Stephen Cavey,
Co-founder and Chief Evangelist, Ground Labs
"Since
GDPR's inception in 2018, the regulation has had a global impact on data
compliance, sparking similar efforts from other countries to create their own
legislation to better protect their citizens. These regulations have
effectively increased transparency, given consumers the ability to opt-out of
data sharing practices, and held businesses accountable for the personal data
they hold. In addition to other compliance regulations like CCPA, we anticipate
to see even more global data protection laws from all regions in the near
future, including those from China and South Africa.
However, challenges arise as more and more data is generated and
more people are conducting their day-to-day activities from the comfort of
their homes and personal devices. This makes GDPR arguably more relevant now
than it has ever been. As these regulations grow in scale and complexity and
fines for violations and non-compliance continue to see double-digit growth,
organizations are exploring ways to meet these requirements without hindering
business success. Forward-thinking organizations are deploying solutions and
processes that will allow them to address security using a common, data-driven
approach depire any variances in regulation that each of these emerging laws
brings. I also believe we may see businesses adopting protections as a unique
selling point in years to come. Take for example, Apple's recent iOS 14.5
update, which gave users ultimate control over data collection on their iPhones
and translated into a ‘Privacy. That's iPhone.' marketing campaign."
--
Declan Dickens, Senior Manager, Northern Europe, Checkmarx
"Three
years ago, the General Data Protection Regulation (GDPR) came into effect,
heralding a new wave of privacy and security reform throughout Europe. While
debates carry on about the true effectiveness of GDPR, one thing that's been
clear is that it has forced organizations, consumers, and legislatures alike to
take notice of privacy - which is a positive in itself.
With
that said, there is still a lot of work to be done when it comes to widespread
action and accountability surrounding data privacy. A new report noted that
over 661 fines have been issued since GDPR became enforceable, totalling €292
million - a concerning number. It's important that both lawmakers and
organizations don't become complacent in this critical effort. Issues
surrounding fragmentation and gray areas still exist with the GDPR, which
continue to create a variety of problems. GDPR, and data privacy protections
more broadly, should be a living, breathing initiative, being consistently
updated to reflect changes in end user needs, evolutions in regulatory
requirements, and more.
Organizations
that develop applications in particular must ensure they're aligning with the
GDPR requirements. The articles relating to this (25, 32, 33, 34 and 35)
reaffirm the steps needed when securing data flowing through applications, in
addition to what needs to be done in the event of a data breach. For those
looking to remain compliant, we suggest they first follow the ‘privacy/security
by design' rule - ensuring data security and privacy are considered during the
planning stage of any product or solution, as opposed to during development -
to safeguard data from attackers by default. For existing operations,
organizations need to work to discover any weak points in how data flow is
processed and handled by performing gap analysis to find what works and what
needs to be worked on or removed. Finally, organizations should make a habit of
‘spring cleaning' to remove any data that is no longer needed. Only by
following these critical steps, can they hope to position themselves in the
most agile and resilient way to avoid hefty fines, and more importantly,
protect data privacy."
--
Joseph Carson, Chief Security Scientist & Advisory
CISO, ThycoticCentrify
"It is the 3
rd
anniversary of EU GDPR and it has been an interesting few years. EU GDPR
has forced organizations to take further steps in understanding the data they
collect and put additional security controls to protect the data from cybercriminals.
We have seen some organizations who became victims of cyber-attacks and data
theft getting fined millions of euros as GDPR investigations found inadequate
security or failure to meet EU GDPR requirements. In the past year
however EU GDPR has slowed most likely as a direct result of the global
pandemic and some organizations who face significant industry challenges under
the pandemic had their financial penalties significantly reduced.
Yes GDPR has absolutely put
citizens more in control of the data collected and processed however has it
directly benefitted cybercriminals who have also adapted new techniques in
recent years specifically improving an already powerful digital weapon such as
Ransomware by included data theft and exfiltration that specifically forces
organizations into a GDPR focus. Are cybercriminals abusing GDPR as a
leaver to getting paid a ransom. While GDPR did force organizations to
improve security it however has not stopped cybercriminals from being
successful and in the past year we have seen a huge increase in Ransomware
attacks and Nation States espionage into supply chains causing ripple effects
throughout the industry. While GDPR has forced organizations into talking
more responsibility and protection of sensitive personal data has it allowed
cybercriminals to take advantage and use GDPR in return making hundreds of
millions in ransom payments. Does EU GDPR need to take further steps by
confronting the devastation being caused by ransomware?"
--
Mike Kiser, Senior Identity Strategist, SailPoint
"When GDPR took off in 2018, it was a major and tangible step for positive change in addressing the privacy concerns of U.K. citizens. Its worldwide influence compelled companies across the globe to pay closer attention and commit to protecting the privacy of their customers, employers, partners, and all other key stakeholders — no matter their location. Three years later, it’s now considered a foundational aspect of any organization’s overall cybersecurity and operational strategy. To achieve the full visibility needed to comply with GDPR, and other privacy regulation laws, organizations should focus on a few key identity security priorities, which include: locating personally identifiable information (PII), understanding who has access to it, and implementing and maintaining proper access controls for that data. Only with a holistic, identity-centric security practice do you stand a chance at protecting your ecosystem's data and avoid running afoul of privacy legislation and becoming the next breaking news headline."
--
Neil Thacker, EMEA CISO, Netskope
"On the 3rd anniversary since the General Data Protection Regulation (GDPR) came into effect, we recognize the continued problem of the use of unmanaged cloud applications and services whilst adhering to the regulation. One of the most underestimated compliance challenges that organizations face under the GDPR is the fact that many - if not most - personal data records, for which the organization is legally responsible, are processed using cloud applications and services not traditionally owned or made visible to the IT or the security team. Also, unstructured personal data is created by the workforce – often unsupervised – using productivity or collaboration applications. This data is pervasive across mobile devices and shared with others through unmanaged applications and cloud storage locations, which are outside the organization’s direct control. The pandemic-fueled explosion of data in 2020 and a Work-From-Anywhere (WFA) trend involving Bring Your Own Device (BYOD) usage has only exacerbated this problem.
Nevertheless, under the GDPR regulation, it is always the organization’s legal responsibility to protect such data from loss, alteration, or unauthorized processing, even if workers use cloud services that are not pre-approved or controlled by the organization. This means that organizations must know which personal data records are processed by users of cloud services; identify the cloud applications used by the organization’s workforce; prevent personal data from being stored or processed in unmanaged cloud services; and continue to protect personal data when stored or processed in cloud services.
Failure to manage non-approved cloud services may leave the organization at serious risk, from both a legal perspective and from a business continuity and reputational perspective. CIOs and CISOs must therefore pay close attention to this issue and implement measures to bring such cloud services under the visibility and control of the organization. Trusted frameworks and platforms, such as Secure Access Service Edge (SASE), help not only to future-proof an organization’s cloud strategy but do so with security, privacy, and compliance with regulations, such as the GDPR, at the forefront."
--
Rajesh Ganesan, vice president of ManageEngine "Privacy laws will result in increased focus on employee accountability. More countries are following the European Union’s lead by implementing data protection laws similar to GDPR. Late last year, China unveiled the first draft at its PDPL (personal data protection law) and many believe the US is next to follow suite. Where privacy laws are established, the role of Data Protection Officers (DPOs) assumes significance as they must work closely with the CIOs and tech teams to ensure that organizations comply with the law. With increased awareness of and emphasis on data protection, there will be an even greater focus on the security and handling of users’ personal data. Employees at all levels will be held accountable as organizations strive to meet compliance. Therefore, upskilling and education programs will be needed to handle this aspect.
This is also the right time to take security very seriously. Over a year into the pandemic, we now know the implications remote work has on security, and we’ve seen companies like Apple and Google change their stances on data privacy. While that’s a step in the right direction, more companies should build in security and privacy from the ground up. GDPR coming from the European Union was a game-changer, but we need to make sure we continue to address security and privacy at the foundation level."
--
Ramsés Gallego, International CTO, CyberRes, a Micro Focus line of business
"On the third anniversary of the implementation of the GDPR, we can confidently say that the regulation is here to stay. Ultimately, data belongs to people and any technique that reinforces that approach - including encryption, tokenisation, data scrambling, data hiding, anonymization, among others - represents a fundamental step to protect small quantities of data that, when aggregated, becomes information.
While it’s down to the European Data Protection Board (EDPB) to ensure that the law is being interpreted in the correct manner and provide essential guidance, businesses also have a key role to play in upholding the regulation. Keeping data safe, however, has never been more challenging as over the last year. The mass move to remote working caused by the pandemic meant that businesses had to shift to digital-first approaches virtually overnight. The resulting distributed infrastructure has created new attack vectors for cybercriminals – and, in turn, a greater potential for damaging data breaches.
Within this new reality, becoming cyber resilient is a business necessity. Organizations should make extensive plans to effectively prepare for, respond to and recover from cyber threats. Amid a constantly evolving threat landscape, made even more complex by the global pandemic, protecting against data breaches requires building a road map to cyber resiliency. This way, organizations can ensure they are in the best position to safeguard sensitive information and continue to comply with data privacy regulation such as the GDPR."
--
Gary E. Barnett, CEO of Semafone
"The European Union's General Data Protection Regulation (EU GDPR) was designed to safeguard personal data in the new digital age. Any firm that collects, processes or stores data on EU citizens must comply – regardless of where they operate, making GDPR a requirement for businesses that operate on a global scale.
Regulatory compliance is particularly challenging for the customer service industry. In contact centers, call recording is essential to facilitating dispute resolutions, ensuring quality control, discouraging fraudulent behavior for both agent and caller, and helping train staff. Under the GDPR, contact centers have to document data processing activity and those that use call recording as part of their training or for quality control purposes need to ensure they obtain consent from the individual. The EU GDPR not only empowers and protects customers, but also puts the control of their personal data into their own hands. Since they’re on the front lines of customer information, call centers must take a holistic look at information security and data processing to ensure customer data and personally identifiable information (PII) is secure and compliant.
The safest way of securing customer data is to not store it in the first place. Although data security technology has improved, masking solutions add another layer to prevent bad actors from hacking your personal information. After all, they can’t hack it if it’s not available."
##