Wednesday, May 25th marks the four year anniversary of the EU-wide General Data
Protection Regulation (GDPR) enforcement. It comes as a
timely reminder to all of us about the importance of data privacy as an
increasing number of cyberattacks continue to take place.
To commemorate the milestone during this anniversary period, a few industry experts from various companies have shared their expertise and thoughts with VMblog.
##
Andy Syrewicze, Technical Evangelist at Hornetsecurity:
"It’s been another year and GDPR (General Data Protection Regulation) has continued to be a law that is impactful the world over. It comes as a surprise to many organizations that even though they may not be based in the EU, they must adhere to GDPR regulations if they do business with an EU customer. This is not all without reason though. This law has provided end-users with a MUCH-needed method of seeing what parts of their data are being retained, why, and also providing a method of deletion for said data if desired.
Many organizations are adopting a policy of GDPR adherence even though they may not be required to be compliant today. This is due to a number of reasons. Maybe they expect to move into the EU market in the near future. Maybe they have a low threshold for legal risk. Or more commonly today many businesses are preparing for the increase in GDPR-styled US state laws that have been passed in places like California and Utah. It’s likely only a matter of time before similar laws are passed in other states or even at the US Federal level. So, it’s helpful for many businesses to get ahead of that curve now before it becomes mandatory.
All this prep work includes the usual GDRP requirements, but it also includes considerations when it comes to offsite backup storage as well. Vendors that allow you to select an offsite backup location based on country or region will be immensely important in preparing for GDRP regulations and future policies likely to be coming from the US in the future."
++
Alec Foster, Growth Marketer & Privacy Professional (CIPP/US), and Yuval Sadon, Cyber Threat Analyst, Canonic Security:
"GDPR has forced companies around the world to take consumer privacy more seriously. In the coming year, we can expect to see additions to GDPR to clear up ambiguity around opt-in consent and improvements to consumers' ability to access their personal data stored by companies that do business in Europe. These improvements will strengthen privacy protections of European consumers, as well as in other countries, as companies seek to simplify their global legal compliance programs.
According to GDPR, the data collector is responsible for the data they collect. Therefore, when an organization shares data with a 3rd party and data breaches occur, the data collector is obliged to notify the data subject of data breaches within 72 hours, even if they weren’t handling the data. The GDPR expects the data collector to manage data sharing with 3rd party apps and respond immediately when a privacy breach occurs.
For example, Acme Corp uses the “widget.ai” application, and “widget.ai” experiences a data breach that may include Acme Corp’s customers' data. Acme is obligated to notify all subjects of the possibility of leaked information. Canonic includes information about recent data breaches to help companies comply with GDPR in events like this."
++
Joseph Carson, Chief Security Scientist and Advisory CISO, Delinea:
"As we approach the fourth anniversary of EU GDPR, it is a time to reflect on how this privacy law has changed the cyber landscape over the last several years. Since its introduction, GDPR has continually forced organizations to better evaluate how they store and collect user data while simultaneously requiring organizations to implement stronger security controls to protect and secure any data they do collect from potential exploits. While the GDPR law has without doubt given citizens more control over how their data is collected and processed, it has also presented opportunities to cybercriminals who have also adapted their methods and techniques, specifically through ransomware attacks. Ransomware attacks continue to cause ripple effects throughout the industry and cybercriminals now utilize potential GDPR violations as a means of forcing an organization to pay their hefty ransom demands to avoid GDPR fines and other reputational losses. An astonishing 83% of organizations admit to paying ransom demands, according to recent research.
While GDPR did force organizations to somewhat improve their security posture, it has not stopped cybercriminals from being successful. Organizations must remember that GDPR is only a standard and cannot supplement a robust security strategy, one that incorporates strong privileged access control, automated threat detection and response, zero trust principles and a security first company culture."
++
James Wilde, Global Head of Security Strategy, SPHERE:
"2021 was a significant year for GDPR fines, and it really demonstrated the bite which GDPR has. Two of the largest fines to date were Amazon Europe (746m euros) and WhatsApp Ireland (225m euros). When you consider that in 2018 the total of all fines combined was 436,000 euros, we can see the strong stance regulators are taking towards data privacy and the significant risks firms are exposed to going forward.
Following the introduction of GDPR, there has been a rapid increase in the volume of similar initiatives passed by regulators focused on protecting personal data. While similar in nature, there are plenty of nuances which present a concern for organizations working across multiple jurisdictions. Just a few examples include GDPR in Europe, PIPL in China, CCPA in California and POPI in South Africa, among many others."
++
Davis McCarthy, Principal Security Researcher at Valtix:
"As the value of data increases, the exploitation of data will also increase. The cloud makes accessing data easy, which complicates GDPR compliance because the enterprise may lose visibility or lack the business processes needed to manage cloud data. Consider the developer that accesses user data to work on a project, when the dataset should be pseudonymous to maintain user privacy, but is not. Compliance needs to be maintained over the lifecycle of the dataset–dev to prod, localhost to the cloud, and frontend to backend. Under GDPR a user can ask a company to delete their data, if the company doesn’t know their data is stored in that dev environment, they are not compliant. This goes for vendors too–how do your vendors handle your user data across its lifecycle? In this scenario, there is no nefarious actor, just a shift in how the enterprise needs to handle the new valuable commodity."
++
Mike Parkin, Senior Engineer, Vulcan Cyber:
"When GDPR (General Data Protection Regulation) was first introduced, individuals gained enhanced privacy and received much more control over their personal data. The flip side was organizations needing to do a great deal of work to implement the requirements imposed by the new standards. The reach also extended beyond Europe as many companies doing business worldwide were required to comply if they wanted to continue doing business in the EU.
Now, four years on, most organizations have learned how to comply and ordinary citizens have seen the benefits. While it does impose some extra costs of doing business, and some business models are impacted by needing to give users greater privacy and control, there are dividends in security and customer confidence that should outweigh the costs. The question remains as to how far beyond the European Union the GDPR model will extend, and whether other countries will follow suit to improve their citizen’s privacy and personal security."
++
Steve Bakewell, Managing Director EMEA, NetSPI:
"On
the fourth anniversary of the GDPR, it's fair to say the legislation has
impacted both consumers and companies alike. Consumers are more aware of the
value of their personal data and how companies collect and use it, which is
increasingly informing the choices they make as well as the brands and services
they trust. Data breach notification rules have increased transparency and
cookie warnings are everywhere, yet remain inconsistent. This lack of consistency is being addressed by the EU within it's wider ePR update, which serves as an example that regulations tend to change over time.
Companies
have done a lot of work to bring their systems and processes inline with the
GDPR, but it is a continuous exercise. In the same way regulations change, so
does technology. For example, the increasing uptake in cloud services has
resulted in more data, including personal data, being collected, stored and
processed in the cloud.
Moving
forward, companies should be confident they have mapped out the data lifecycle
for the organisation, including what it is, where it is, how it is collected,
stored, processed and deleted. Understand and implement both privacy and
security requirements in systems handling the data, then test accordingly
across all systems, on-prem, cloud, operational technology, and even physical,
to validate controls are effective and risks are correctly managed."
++
David Friend, co-founder and CEO, Wasabi Technologies:
"Now
four years into the launch of GDPR, organizations must take action to both
replicate their data across data centers in different countries and secure
their encryption keys. While it is clear that the regulation has been fairly
effective in keeping data within European borders thus far, other external influences
such as international conflict and cyber criminals becoming more sophisticated
are now throwing GDPR, and data privacy in general, through another loop. No
one knows what the geopolitical atmosphere will be like or how cyber crime will
have evolved in, say, five years, and organizations do not want to end up in a
situation where their data access is cut off as a result of war, ransomware, or
other cyber threats. Therefore, effective data replication and encryption
practices are more critical than ever."
++
Stephen Cavey, co-founder and chief evangelist, Ground Labs:
"The
GDPR is the most significant privacy legislation that organizations globally
have faced. The regulations have significantly raised the bar in how
organizations are held accountable for their personal data collection and
handling practices with fines for violations surpassing double-digits.
Likewise, it has forced organizations to better understand how their customers'
data is collected, where it is stored, and whether they are selling it to third
parties. Furthermore, under the GDPR organizations that collect and handle
personal information must prepare for individuals to invoke their right to
opt-out of data sharing practices or request their data to be removed
(forgotten).
Since
its inception in 2018, we have gained valuable insight into how the GDPR is
being enforced. One discrepancy, though, is the impact on large and small
businesses. Large businesses can handle the challenges of privacy, security and
regulation compliance because they have access to the resources and can
implement functions to address these regulatory requirements. In a smaller
organization, this is not the case. Small businesses have to rely on
outsourcing to fix the problem, which can be costly and time-consuming.
Data
protection is a journey, not a destination. As these regulations grow in scale
and complexity, organizations of all sizes will continue exploring ways to meet
these requirements without hindering business success."
++
Robert Former, CISO and VP of Security at Acquia:
"GDPR
forced the world to think about privacy in technology and how to build future
technology that meets what GDPR requires. Companies have learned that when it
comes to regulatory and compliance matters, paying attention after it's too
late can quite literally cost them everything. So, GDPR has also forced
companies to take security seriously. There is no such thing as too much
security and it's important for companies to be sharply aware of their data
i.e., what data you have and need versus what's not necessary as well as
understanding the controls legally required to accompany that data.
As
we trend toward a data environment that's increasingly regulated, bringing
security into C-suite discussions becomes even more critical. We are out of the
honeymoon phase, next is more enforcement."
++
Kostas Pardalis, Group Product Manager at Starburst:
"The
way we treated data privacy yesterday is not how we're supposed to treat it
today and certainly not how it will be treated in the future. Now that it has
been four years since GDPR was introduced, we are reminded of the many ways it
has impacted companies and end-users alike. For example, GDPR has made internet
users much more aware of data privacy issues, which is a good thing; however,
it has also introduced cookie consent forms on websites that ultimately hinder
user experiences.
Companies,
legislators and societies are constantly learning and adapting to new
technologies and challenges that make data sovereignty compliance a complicated
task. As organizations look to meet the demand for data sovereignty, we first
need to do a lot of work on delivering data infrastructure that is
"sovereignty" aware and to make that possible, multi-cloud
deployments and federation need to become the standard.
Data
privacy trends are constantly evolving but I don't anticipate them slowing down
anytime soon. If anything, I expect an acceleration in enforcing data
sovereignty as the prospect of U.S. regulation becomes more likely due to both
the geopolitical and social environments."
++
Moritz
Plassnig, Chief Growth Officer at Immuta:
"It
is clear that, with GDPR, the EU is leading the charge when it comes to data
privacy regulations. While GDPR is a regulation in EU law, we've seen its
influence spur other countries and regions, such as California with its CCPA
legislation, to follow suit. Furthermore, nearly every business is global in
today's digital environment. With the click of a button, a business could find
themselves with users or customers in other geographies. But as globalization
continues to mature, and more states, regions and countries adopt their own
data privacy regulations, it will be critical to ensure that innovation is not
stifled in the process.
GDPR
is powerful from a privacy and national security perspective, but its stringent
requirements can hinder competition and innovation, especially for startups and
small businesses. Unlike for larger enterprises that have the resources - think
lawyers and internal compliance teams - to ensure they are adhering to the
guidelines, for these organizations, navigating the regulatory waters and
remaining compliant at an early stage is far more difficult and costly. As
other governing bodies roll out their own regulations, establishing the right
balance of data privacy without sacrificing innovation will be key to
establishing effective data privacy laws."
++
Paul Deur, co-founder and co-CEO, ReadyWorks:
"Even though GDPR was originally designed for European citizens, we’ve seen it shape the model of data privacy, cybersecurity and compliance on a global scale. With millions of employees still working from home, it’s more important than ever for IT teams to ensure work devices are kept up to date with the latest patches, as non-compliance could leave the worker and business open to external threats. Even worse, businesses who are still using a product that has reached or will soon reach its service end of life like Windows Sever 2012 will find themselves even more vulnerable to data breaches. Leveraging automated patch management tools and migrating to the cloud are just a few ways businesses can comply with GDPR guidelines to keep everyone’s data safe and secure."
++
Dave Horton, VP of Solutions Engineering, Odaseva:
"Four years into GDPR, everything is in-flux with data privacy regulations. Post-Brexit, there was a lot of debate about whether the UK would continue to hold its status with regards to GDPR. For a period, the terms of deal/no deal Brexit meant that there was a risk of the UK being digitally isolated from Europe. Currently, the UK has Adequacy status until June 2025.
In the mix of all of this, we see invalidation issues with the EU/US Privacy Shield, which regulates how EU data crosses borders to the United States. And it’s a further complication that each US state is bringing in its own data privacy laws, with California leading the way.
Pre-GDPR, data hygiene practices were often very poor. Today, companies are a lot more careful about the purpose for which they store data. Building customer trust is a differentiator. But wherever your company is located, if you do business in the EU or UK, UK GDPR / EU GDPR compliance is important. Mapping out the data processes and understanding what data they store on their consumers and data subjects are key. Many companies need to review existing contracts, in particular ones that pre-date GDPR and Brexit, and ensure they include clauses for data privacy complaints."
++
Jean-Claude Kuo, Principal Product Manager, Cloud Security, Talend:
"On the fourth anniversary of GDPR, we are still seeing businesses struggle with challenges related to its implementation because their leaders view compliance as a box to tick off, rather than as a central value beneficial to their bottom line. This creates a scenario where data privacy is not receiving the right level of focus, despite regulations and fines.
The skills gap and uncertainty around how to handle data sovereignty and cross border data transfers make implementation of GDPR seem messy. As a result, the first line of defense on privacy are engineers in DataOps, ITOps and DevSecOps. They maintain privacy through design that takes charge of and maximizes data use. However, business leaders need to be a part of securing data privacy.
Data engineers must be supported through leadership that’s willing to allocate resources to make privacy by design implementations possible. Ultimately, businesses that prioritize privacy will see benefits to their bottom line and foster a culture of trust."
++
Andrew Clearwater, Chief Trust Officer at OneTrust:
"As we usher in the fourth year of the GDPR, we recognize the massive digital and cultural shifts that have changed the way people choose who to buy from, work for, and invest in. Societal distrust and data proliferation from the work-from-home IT model have left companies looking for a new competitive edge, and trust is emerging as the new gold standard for business success.
While GDPR launched a new era of consumer privacy and shaped the way businesses are expected to operate today, companies now need trust intelligence and coordinated visibility across all trust domains, automation, and regulatory intelligence to enable trust initiatives by design. IDC predicted that by 2025, two-thirds of the G2000 boards will ask for a 'formal trust initiative that executes a roadmap to increase an enterprise’s security, privacy protections and ethical execution.'
And where privacy programs used to exist in isolation, businesses of the future know that delivering value is dependent on breaking down silos across privacy, security, ethics and compliance, and ESG and sustainability."
++
Oliver Cronk, Chief Architect, EMEA, Tanium:
"Over £961 million [just over $1 billion] worth of GDPR fines were issued between January 2021 and January 2022 – a sevenfold increase on the previous year. If there is anything to take from this GDPR anniversary, it’s that organizations need to get their house in order straight away – as I expect another significant rise in fines over the course of this year.
A cause of this will be the wholesale changes that were made to IT infrastructure overnight to keep businesses running during the pandemic, the negative impacts of this are still being felt by many organizations. The requirement for rapid change meant that security and compliance sometimes took a back seat – but this isn't a sustainable long-term approach. It's tough for IT teams to simultaneously juggle business priorities, but now that the pandemic has eased it’s crucial for GDPR compliance to be treated as a key focus area.
To support this, IT teams must fix the visibility issues that most of them have. Our research found that ninety-four percent of today’s enterprises find 20% or more of their endpoints are unprotected, making it impossible to be sure that data is being handled in a GDPR-compliant manner. Risk analysis is another important area of GDPR compliance because it enables IT risk to be assessed so that issues can be fixed before an incident occurs. This can be the difference between being on the back or front foot, helping to avoid data breaches and the associated fines. Staff training is also crucial – and organizations need to ensure their Data Protection Officers support the whole company with information on how to remain compliant, especially given the new hybrid working landscape.
If these steps are followed, organizations will stand a good chance of not becoming the next big negative GDPR headline – which I expect to see several more of this year. The reputational damage caused by these events can often have a larger impact than the fine itself, so the value of GDPR compliance cannot be underestimated."
++
Chad McDonald, Chief of Staff and CISO, Radiant Logic:
"Due to the rise in digital transformation efforts, we are seeing an explosion in the number of digital identities businesses store, which makes controlling and managing identity data much more difficult. Unfortunately, when organizations struggle to manage identity data, they are at risk for breaking GDPR rules by failing to keep identity data accurate and minimized, not to mention are more vulnerable to cyber criminals.
Organizations have been scattering their identity data across multiple sources and this identity sprawl results in overlapping, conflicting or inaccessible sources of data. When identity data isn’t properly managed, it becomes impossible for IT teams to build accurate and complete user profiles.
It can also result in siloed systems which increases the likelihood of a failure in identity management and expands the attack surface of an organization. For example, Bocconi University was fined $214,000 after the Italian Data Protection Authority discovered that the same student information had been placed into multiple, fragmented documents - violating the GDPR principles of fairness, transparency and lawfulness when it comes to data processing. Poor identity management practices provide gaps for threat actors to exploit.
In addition to minimal visibility across data sources, businesses also lack control. Without accurate user profiles, security teams and systems are unable to figure out what users should be accessing in order to fulfill their job. The most notorious GDPR fine was incurred by British Airways, which was over $50 million for failing to limit access to applications, data and tools. With some of the largest enterprises being found guilty of breaking GDPR rules, it is time organizations look to sanitize and streamline processes when it comes to Identity Access Management.
Using an Identity Data Fabric, organizations can unify identity data into one easy-to-use global profile which can deliver identity data, on-prem or in the cloud, in real-time from wherever and whenever needed, on-prem. With accurate identity data, security teams have complete control over who has access to what, and they can feel more confident that they’re meeting all the GDPR regulations."
++
Anna Larkina, Kaspersky security researcher, Kaspersky:
"Last year, I highlighted how much the process of interacting with user data around the world has been affected by GDPR. Not only has it changed the attitude towards personal data within the EU, but across the world, causing many companies to reconsider their entire approach to collecting and analyzing user data.
This year I would like to talk about GDPR Article. 17 – the right to erasure (or ‘right to be forgotten’).
We all leave a huge digital footprint behind us, especially millennials. We find ourselves in the internet space from an early age, and before long we’ve signed up for a huge number of different services, willing to give everything a try! Many of these services we cancel or stop using, however our data is still stored and processed for a number of years. This is where the helpful, ‘right to be forgotten’ can come to our aid. Thanks to Article. 17 of the GDPR, we are presented with an opportunity to reduce our digital footprint.
It’s also worth noting that no company is immune from data leaks. Even in the most secure corporate environments, there is always a human factor. The more services that store and process our data, the higher the risk that it will sooner or later be leaked. The right to erasure can help us limit this risk, as we can ask for our data to be deleted, minimizing the amount of potential information that could get into the wrong hands.
Of course, there are nuances regarding data that may be considered socially and historically significant, data that plays an important role in scientific research, or is related to freedom of speech. But these instances are taken into account in Article. 17.
I want to sincerely congratulate the GDPR on its 4th anniversary! It is very important to not only show the user who is collecting their data – along with how and why it will be used – but also to provide a tool and opportunity to interact with this data, by editing and deleting it. GDPR promotes the integration of these tools into services and we commend it for that!"
##