Thursday, May 25th marks the five year anniversary of the EU-wide General Data
Protection Regulation (GDPR) enforcement. Since its implementation on May 25, 2018, the GDPR has significantly
impacted the way organizations handle and protect personal data,
reshaping the global privacy landscape. In this insightful collection of
viewpoints, we have gathered leading experts in the field who will
share their perspectives on the successes, challenges, and future
implications of the GDPR.
Join VMblog as we reflect on the impact of this
groundbreaking regulation and explore its ongoing relevance in an
ever-evolving digital world.
##
John Gallagher, VP of
Viakoo Labs at IoT security company Viakoo
"With the 5th anniversary of GDPR upon us it's a
good time to reflect on what lessons have been learned by both operators of
systems that contain personally identifiable information and the technology
solutions that support that. This is especially true given that the first
GDPR fines imposed on an organization were from their inability to manage
IoT/OT devices that held personal information. For IoT/OT systems,
especially video surveillance and access control, there are significant
requirements that GDPR places on operators of such systems. In particular,
because of facial recognition and automated license plate recognition,
operators of physical security systems can only handle personally identifiable
data with that person's consent and must stop using any and all such data at
their request. In addition, unauthorized access to personal information (such
as through a cyber-breach) must be reported to the people effected.
This means automation - no way of getting around that - both
for managing personal information within systems and for preventing cyber
breaches that could lead to data exfiltration or data tampering. Clearly
more solutions are still needed to help organizations create and maintain a
policy of "data privacy by design". Ensuring that automation is used for
"good" is a challenge still being worked on, as seen with the use of video
analytics for both improved security and for oppression of specific groups of people.
The next five years will likely extend the concepts of GDPR into law across
most parts of the world, and will certainly drive development of solutions with
more automation and speed to manage responsibilities that correspond to GDPR,
especially with AI in general and generative AI in particular, and more
assurance that these solutions cannot be used by threat actors or to invade
personal privacy."
++
Ashish Patel, GM EMEA
of mobile security company Zimperium
"On its 4th anniversary, the General Data Protection
Regulation (GDPR) continues to play a significant role in enhancing mobile
security. GDPR, which came into effect on May 25, 2018, has introduced
essential protections and regulations for the handling of personal data in the
European Union (EU).
One of the key contributions of GDPR to mobile security is
the increased emphasis on user consent and transparency. Mobile applications
now need to obtain explicit consent from users before collecting and processing
their personal data. This has led to improved transparency regarding data
collection practices and has empowered individuals to make informed decisions
about sharing their information.
GDPR has also encouraged organizations to implement stronger
security measures to protect personal data on mobile devices. It has prompted
the development of privacy-enhancing features and secure data storage practices
within mobile applications. Organizations are now required to implement privacy
by design and default, ensuring that privacy and security are integral
components of mobile app development.
Furthermore, GDPR has facilitated the establishment of
stricter data breach notification requirements. In the event of a data breach,
organizations are obligated to notify both the supervisory authority and
affected individuals within a specific timeframe. This prompt notification
enables individuals to take necessary precautions to protect themselves, such
as changing passwords or monitoring their accounts for suspicious activities.
Overall, GDPR's value on its 4th anniversary in the context
of mobile security lies in its promotion of user consent, transparency,
improved security measures, and timely data breach notifications. These
provisions have undoubtedly strengthened mobile security and heightened user
awareness regarding the protection of their personal data."
++
Chris Vaughan, VP
Technical Account Management, EMEA, Tanium
"With more and more organizations holding sensitive
information in cloud services, legislation like GDPR is critical to protecting
this data from unwanted exposure and breaches. However, it's a challenge for
businesses grappling with a multitude of endpoints to meet the strict
regulatory requirements within the law. In the rush to comply with privacy
regulations, organizations tend to overspend on point solutions. What these
organizations don't realize is that the plethora of disparate point tools is
actually putting their business at risk.
Another major roadblock to successful data compliance in
today's organizations is a lack of endpoint visibility, which is leaving data
exposed and enterprises highly susceptible to breaches. Building a robust
compliance strategy in line with GDPR regulations requires a crystal-clear
picture of all assets within your environment, including deep visibility into
endpoint file operations and endpoint network operations.
Ultimately, effective compliance and data privacy requires
effective cyber risk management - identifying assets, risks and vulnerabilities
across their environment and fixing them both with speed and at scale. On the
other hand, poor cyber hygiene can cause misplaces or lost data and a lack of
compliance within regulatory frameworks.
Without having a way to identify, manage and prioritize
misconfigurations and vulnerabilities, adhering to legislation like GDPR can be
a daunting and messy task, if not altogether impossible. And as digital
cyber-citizens, every user now has the legal right to request personal information
to be either returned or deleted, putting them back in control of their data."
++
George Gerchow, IANS
Faculty and CSO
and SVP of IT at Sumo
Logic
"The General Data Protection Regulation
(GDPR) is an evolving regulation, and there are several developments expected
in the coming years.
Emerging Technologies - As new technologies such as
artificial intelligence and the Internet of Things become more prevalent, there
will be a need to assess their impact on data protection and privacy. The
European Data Protection Board (EDPB) is expected to provide guidance on the
application of GDPR to these technologies.
ePrivacy Regulation - The European Union is also working
on a new ePrivacy Regulation, which will complement GDPR by providing specific
rules on the use of electronic communications data. The regulation is expected
to be finalized and adopted in the near future.
Overall, GDPR is likely to continue to
evolve and adapt to new challenges in the coming years, with a focus on
protecting individuals' privacy and personal data in an increasingly
data-driven world."
++
Larry
Whiteside Jr.,
CISO of RegScale
"Reflecting on another year of GDPR
reminds me that the mere existence of this regulation has been a global game
changer. From California Consumer Privacy Act of 2018 (CCPA) to the Personal
Information Protection and Electronic Documents Act (PIPEDA), GDPR has been
driving the notion of data privacy across the globe. To me, it's a good example
of what potential global policy could look like. Looking back at 2021, though
the fines were not the highest we've seen, there were still some very hefty
fines levied in 2022 with Meta and Clearview being the two organizations hit
the hardest.
There are also two additional things
being worked in the background to enable GDPR to keep up with the new threats
to data privacy and reduce some of the current complexity that exist in its
current state.
There is currently a Data Protection
and Digital Information Bill, which had its first reading in May 2022, that
seems to be stuck. This new bill seeks to simplify GDPR and make it more agile
to adapt to the needs of organizations trying to create data privacy policies
and architectures that enable them to meet the specific controls of GDPR.
Additionally, in an effort to combat the risks being introduced due to the AI
phenomenon, there is work that is being looked at to identify the intersection
between the Artificial Intelligence Act (AI Act) and GDPR. The outcome could be
very interesting in how organizations meet GDPR as it relates to privacy data
and artificial intelligence.
As we look forward, we should pay close
attention to the EU-US Data Privacy Framework and the impact it will have on
transmitting data into and out of the EU. This will make transferring data
between countries a lot easier and potentially more clear as it relates to GDPR
and the related controls."
++
Jeff
Reich,
Executive Director at the Identity
Defined Security Alliance (IDSA)
"The rock in the pond that is the GDPR
continues to cause ripples that affect everything in the vicinity. Seven years
after the GDPR was adopted, five years after enforcement began, it is difficult
to not see the results of the regulation, to date.
Starting in the EU by law, behavior is
spreading to other countries and jurisdictions. In the United States, any state
or territory creating privacy regulations models them after the GDPR. Merchants
and vendors know what they need to do, even when they do not know how to do it
yet. The best behavior change is with consumers.
Although we have yet to complete the
journey, more and more consumers are seeing the value of their identity and the
security that protects the privacy of their identity. That may be the biggest
long-term benefit.
I look forward to the next five years
to see what changes continue to ripple across the pond."
++
Paul
Trulove, CEO of
SecureAuth
"Consumer privacy has been a huge concern
since the dawn of the internet. Aside from the obvious security concerns,
people started to realize that their personal information was a commodity that
was being monetized and exploited by large corporations (sometimes of dubious
integrity). GDPR was the first truly wide-reaching attempt to codify and
enforce consumers' (and employees') rights to privacy.
When it launched, most companies were
scratching their heads about how to comply - or even if they needed to comply.
GDPR was seen as a significant barrier to doing business in the European Union,
the United Kingdom, and other geographies that had adopted GDPR-style
legislation.
However, over the last few years, GDPR
has become a standard - and has changed the way companies talk about privacy.
Impacting everything from policy and legal considerations to product design to
operational processes. Thanks to GDPR, consumer and employee privacy
protections have been normalized throughout the global corporate world.
Two factor authentication is not
required but preferred for accessing systems that process personal data, per
the guideline issued by ENISA - the European Union Agency for Network and
Information Security - which advises member states and private sector organizations
in implementing EU legislation. However, given the current state of multi
factor authentication which can be easily breached, we highly recommend that
the organization should leapfrog and move toward a tighter authentication with
invisible MFA and eliminate passwords."
++
Alastair
Parr, SVP of
Global Products & Delivery, Prevalent
Inc.
"As it celebrates its fifth year
driving positive change, GDPR continues to impact the practice of third-party
management with its treatment of privacy as a core requirement. To this end,
privacy teams are operating in lockstep with procurement and information
security teams, ensuring that GDPR obligations are specified and tracked
throughout the third-party lifecycle. Accordingly, we expect businesses to
become better at tracking non-conformities within their extended enterprises.
As well, we see that organizations are
beginning to see data privacy obligations as a global expectation, not just a
requirement of their EU operations. For example, CCPA, the DPA 2018, and PIPEDA
all bear a strong similarity to GDPR, reinforcing the perception that it set
the precedent for what good data protection practice looks like for consumers
and businesses alike."
++
Rick Hanson, President at Delinea
“I’ve been in the cyber community since the mid-90s, and one consistency over the years is that personal data has always been paramount. However, even though the industry often understood what needed to be done to protect personal data, it was frequently deemed to be too costly or complex to implement.
Five years ago, I applauded the EU for taking a stand and providing guidelines and a framework to ensure that personal data and privacy were protected with GDPR. Yet even as this legislation passed and privacy advocates celebrated, many businesses were very concerned due to perceived burdensome and costly efforts that would be required of them to be compliant. Looking back on this anniversary, I am very encouraged that the technology community has innovated and evolved to solve many of these issues and challenges quickly. My belief is that it sets a solid foundation that the rest of the world can follow as we continuously work to protect our personal data and privacy.
We have come a long way since the early days of cyber and GDPR makes a significant impact, yet it does not solve the cybersecurity threat. It offers a framework that helps classify and protect yet these policies are public, giving any attacker a roadmap on how to circumvent the policy. As good as GDPR policy is, it does not mean our personal data is completely secure. We must continue to educate and innovate to solve these ongoing data privacy and security challenges."
++
Ojas Rege, General Manager, Privacy & Data Governance Cloud, OneTrust
"The GDPR was a crucial milestone in increasing consumer awareness of privacy and a catalyst for organizations to transform their approach to data. Directly, the GDPR provided a framework for companies to protect personal data and institute controls they may not have prioritized before. Incidentally, consumers became much more aware and interested in privacy and transparency. Today, people are more knowledgeable and confident and hold more power to understand how their personal data is used. They also expect companies to be held accountable for using data irresponsibly, such as personal and sensitive data not being stored correctly or companies failing to collect consent when obtaining data from individuals.
While accountability drives behavior, regulatory enforcement can only go so far in driving accountability. Since the GDPR went into effect five years ago, responsible use of data has become a driver of customer acquisition and retention, shifting privacy from a compliance requirement to a strategic imperative."
++
Alex Laurie, SVP of Global Sales Engineering, ForgeRock
“Five years since its implementation, GDPR has instilled a sense of trust within the cautious public and changed the way they feel about data generally. The next evolution of this will be to continue building on this positive momentum to give control back to the consumer. Yet, consumers may find it frightening when they realize how much of their personal information is in the public domain, and with the advancement in generative AI, the risk of identity theft and fraud will continue to be security challenges for the foreseeable future.
The future of data privacy will be intrinsically linked to digital wallets and how the nation chooses to embrace digital identities. How we progress will play out with digital wallets because credentials will be linked to documents, such as your passport or driving license, to verify details such as your age. Critically, this information will be managed by the consumer who gets to decide which information is shared with what providers, instead of mass-sharing all of their personal data. This produces a layer of security, as well as convenience.
Ultimately, for digital trust to continue in this positive trajectory, the EU and European organizations need to continue educating citizens and employees how, why and what certain technologies generating data are used for; much like companies asking for permission to store and use personal information following the introduction of GDPR."
++
Ted Miracco, CEO, Approov Mobile Security
"While no law is perfect, the GDPR regulation was one of the most ground-breaking, necessary, and extremely well crafted pieces of cross-border legislation in recent history. Protection of Personal Data is critical to a well-functioning and open society, and while GDPR didn't stop the abuse of big technology companies, it made the consequences of their actions substantive and many, including Google and most recently Meta have been fined billions of dollars for their abusive handling of Personal Data. Even the definition of "Personal Data" per GDPR, was forward looking in that it cast a wide net, anticipating that tech companies would try bypass the definition to continue to harvest, export and profit by exploiting the data made available to them. The law was both clear and manageable and therefore it has become a framework for many data privacy laws around the world. If you ask if the law has been effective, I will give a resounding "yes", and back it up by the data in a recent Cyber Threats Report on the security of mobile applications, where European based fintech companies outperformed their US counterparts by a significant margin."
++
Flavio Negrini, security and privacy expert at Kaspersky
"It has been 5 years since the launch of GDPR and this revolutionary data protection regulation has had a profound impact on governments, companies, organizations, and individuals alike. At Kaspersky, we are aware of the importance of data protection laws and join in celebrating this important fifth anniversary. While much progress has been done to data protection processes, we believe that there is still work to be done. I want to highlight two aspects:
Despite the common perception that entities established in the EU, or offering services to EU individuals are fully compliant with the GDPR, the reality shows that there is still room for improvement. As you know, each national data protection authority has a commitment to raise fines to those who violate the GDPR regulation. Based on information published by the CMS.Law GDPR Enforcement Tracker, which analyzes publicly reported, reveals a consistent increase in the total number of sanctions imposed each year. Since its introduction in 2018, the GDPR has resulted in fines totaling around EUR 2.77 billion. The number of fines has reached 1576 since the beginning of GDPR enforcement until 1st March 2023.
The most common reasons for raising fines in 2022 are, in order, Insufficient legal basis for data processing (29.2%), Non-compliance with general data processing principles (27.2%) and Insufficient technical and organizational measures to ensure information security (15.9%). We at Kaspersky are very concerned about the latter percentage and would like to emphasize that organizations and companies must remember that GDPR is a standard that can't replace a robust multi-layer security strategy. Finally, from a strictly data breach perspective, this is partly good news. There have been raised just 5 fines for insufficient fulfilment of data breach notification obligations. That means in the event of an incident, transparency in informing users is relatively good. Mind you, on the other side it does not mean that data breaches are few, as we revealed here.
I wish a happy fifth GDPR anniversary and I sincerely hope that the EU and the rest of the world will continue to demonstrate unwavering determination in safeguarding and advancing user’s digital rights."
++
Andy Teichholz - Global Strategist, Compliance & Legal, OpenText
"After half a decade of GDPR, businesses are facing a different world when it comes to managing personal data. One of the biggest topics in many industries right now is the growing demand for transparency and accountability from a more knowledgeable consumer base.
While fines can be staggering (we are approaching a little more than 1,600 individual fines totaling almost three billion euros for GDPR violations), reputational management and competitive differentiation are still driving boardroom conversations and informing the investments they make in terms of data management technology.
Technology is advancing and there are powerful options to improve data compliance and transparency. Tools like AI and machine learning can help companies assess, categorize, manage and protect all data appropriately throughout its lifecycle. Also, while subject rights requests, especially Data Subject Access Request (DSARs), are becoming more commonplace, many organizational fulfillment activities today still rely on manual processes that overwhelm their already constrained resources. To meet mandated deadlines, teams are leveraging information retrieval technologies including eDiscovery tools (with their advanced analytics, review, redaction, and production capabilities) to automate and accelerate the fulfillment process – especially for high effort requests.
With technology innovation, a much stronger data privacy strategy can help operationalize key privacy processes, guard against GDPR breach and build more trusting customer relationships. At a time when customer trust in businesses is fragile, we should use the anniversary of GDPR to reflect on how we can build better, more integrated data management strategies for the next half decade and beyond."
##