Virtualization Technology News and Information
GDPR 5th Anniversary - What the Experts Have to Say

GDPR Anniversary 

Thursday, May 25th marks the five year anniversary of the EU-wide General Data Protection Regulation (GDPR) enforcement.  Since its implementation on May 25, 2018, the GDPR has significantly impacted the way organizations handle and protect personal data, reshaping the global privacy landscape.  In this insightful collection of viewpoints, we have gathered leading experts in the field who will share their perspectives on the successes, challenges, and future implications of the GDPR. 

Join VMblog as we reflect on the impact of this groundbreaking regulation and explore its ongoing relevance in an ever-evolving digital world. 


John Gallagher, VP of Viakoo Labs at IoT security company Viakoo

"With the 5th anniversary of GDPR upon us it's a good time to reflect on what lessons have been learned by both operators of systems that contain personally identifiable information and the technology solutions that support that.  This is especially true given that the first GDPR fines imposed on an organization were from their inability to manage IoT/OT devices that held personal information.  For IoT/OT systems, especially video surveillance and access control, there are significant requirements that GDPR places on operators of such systems. In particular, because of facial recognition and automated license plate recognition, operators of physical security systems can only handle personally identifiable data with that person's consent and must stop using any and all such data at their request. In addition, unauthorized access to personal information (such as through a cyber-breach) must be reported to the people effected.

This means automation - no way of getting around that - both for managing personal information within systems and for preventing cyber breaches that could lead to data exfiltration or data tampering.  Clearly more solutions are still needed to help organizations create and maintain a policy of "data privacy by design".  Ensuring that automation is used for "good" is a challenge still being worked on, as seen with the use of video analytics for both improved security and for oppression of specific groups of people.  The next five years will likely extend the concepts of GDPR into law across most parts of the world, and will certainly drive development of solutions with more automation and speed to manage responsibilities that correspond to GDPR, especially with AI in general and generative AI in particular, and more assurance that these solutions cannot be used by threat actors or to invade personal privacy."


Ashish Patel, GM EMEA of mobile security company Zimperium

"On its 4th anniversary, the General Data Protection Regulation (GDPR) continues to play a significant role in enhancing mobile security. GDPR, which came into effect on May 25, 2018, has introduced essential protections and regulations for the handling of personal data in the European Union (EU).

One of the key contributions of GDPR to mobile security is the increased emphasis on user consent and transparency. Mobile applications now need to obtain explicit consent from users before collecting and processing their personal data. This has led to improved transparency regarding data collection practices and has empowered individuals to make informed decisions about sharing their information.

GDPR has also encouraged organizations to implement stronger security measures to protect personal data on mobile devices. It has prompted the development of privacy-enhancing features and secure data storage practices within mobile applications. Organizations are now required to implement privacy by design and default, ensuring that privacy and security are integral components of mobile app development.

Furthermore, GDPR has facilitated the establishment of stricter data breach notification requirements. In the event of a data breach, organizations are obligated to notify both the supervisory authority and affected individuals within a specific timeframe. This prompt notification enables individuals to take necessary precautions to protect themselves, such as changing passwords or monitoring their accounts for suspicious activities.

Overall, GDPR's value on its 4th anniversary in the context of mobile security lies in its promotion of user consent, transparency, improved security measures, and timely data breach notifications. These provisions have undoubtedly strengthened mobile security and heightened user awareness regarding the protection of their personal data."


Chris Vaughan, VP Technical Account Management, EMEA, Tanium

"With more and more organizations holding sensitive information in cloud services, legislation like GDPR is critical to protecting this data from unwanted exposure and breaches. However, it's a challenge for businesses grappling with a multitude of endpoints to meet the strict regulatory requirements within the law. In the rush to comply with privacy regulations, organizations tend to overspend on point solutions. What these organizations don't realize is that the plethora of disparate point tools is actually putting their business at risk.

Another major roadblock to successful data compliance in today's organizations is a lack of endpoint visibility, which is leaving data exposed and enterprises highly susceptible to breaches. Building a robust compliance strategy in line with GDPR regulations requires a crystal-clear picture of all assets within your environment, including deep visibility into endpoint file operations and endpoint network operations.

Ultimately, effective compliance and data privacy requires effective cyber risk management - identifying assets, risks and vulnerabilities across their environment and fixing them both with speed and at scale. On the other hand, poor cyber hygiene can cause misplaces or lost data and a lack of compliance within regulatory frameworks.

Without having a way to identify, manage and prioritize misconfigurations and vulnerabilities, adhering to legislation like GDPR can be a daunting and messy task, if not altogether impossible. And as digital cyber-citizens, every user now has the legal right to request personal information to be either returned or deleted, putting them back in control of their data."


George Gerchow, IANS Faculty and CSO and SVP of IT at Sumo Logic

"The General Data Protection Regulation (GDPR) is an evolving regulation, and there are several developments expected in the coming years.

Emerging Technologies - As new technologies such as artificial intelligence and the Internet of Things become more prevalent, there will be a need to assess their impact on data protection and privacy. The European Data Protection Board (EDPB) is expected to provide guidance on the application of GDPR to these technologies.

ePrivacy Regulation - The European Union is also working on a new ePrivacy Regulation, which will complement GDPR by providing specific rules on the use of electronic communications data. The regulation is expected to be finalized and adopted in the near future.

Overall, GDPR is likely to continue to evolve and adapt to new challenges in the coming years, with a focus on protecting individuals' privacy and personal data in an increasingly data-driven world."


Larry Whiteside Jr., CISO of RegScale

"Reflecting on another year of GDPR reminds me that the mere existence of this regulation has been a global game changer. From California Consumer Privacy Act of 2018 (CCPA) to the Personal Information Protection and Electronic Documents Act (PIPEDA), GDPR has been driving the notion of data privacy across the globe. To me, it's a good example of what potential global policy could look like. Looking back at 2021, though the fines were not the highest we've seen, there were still some very hefty fines levied in 2022 with Meta and Clearview being the two organizations hit the hardest.

There are also two additional things being worked in the background to enable GDPR to keep up with the new threats to data privacy and reduce some of the current complexity that exist in its current state.

There is currently a Data Protection and Digital Information Bill, which had its first reading in May 2022, that seems to be stuck. This new bill seeks to simplify GDPR and make it more agile to adapt to the needs of organizations trying to create data privacy policies and architectures that enable them to meet the specific controls of GDPR.

Additionally, in an effort to combat the risks being introduced due to the AI phenomenon, there is work that is being looked at to identify the intersection between the Artificial Intelligence Act (AI Act) and GDPR. The outcome could be very interesting in how organizations meet GDPR as it relates to privacy data and artificial intelligence.

As we look forward, we should pay close attention to the EU-US Data Privacy Framework and the impact it will have on transmitting data into and out of the EU. This will make transferring data between countries a lot easier and potentially more clear as it relates to GDPR and the related controls."


Jeff Reich, Executive Director at the Identity Defined Security Alliance (IDSA)

"The rock in the pond that is the GDPR continues to cause ripples that affect everything in the vicinity. Seven years after the GDPR was adopted, five years after enforcement began, it is difficult to not see the results of the regulation, to date.

Starting in the EU by law, behavior is spreading to other countries and jurisdictions. In the United States, any state or territory creating privacy regulations models them after the GDPR. Merchants and vendors know what they need to do, even when they do not know how to do it yet. The best behavior change is with consumers.

Although we have yet to complete the journey, more and more consumers are seeing the value of their identity and the security that protects the privacy of their identity. That may be the biggest long-term benefit.

I look forward to the next five years to see what changes continue to ripple across the pond."


Paul Trulove, CEO of SecureAuth

"Consumer privacy has been a huge concern since the dawn of the internet. Aside from the obvious security concerns, people started to realize that their personal information was a commodity that was being monetized and exploited by large corporations (sometimes of dubious integrity). GDPR was the first truly wide-reaching attempt to codify and enforce consumers' (and employees') rights to privacy.

When it launched, most companies were scratching their heads about how to comply - or even if they needed to comply. GDPR was seen as a significant barrier to doing business in the European Union, the United Kingdom, and other geographies that had adopted GDPR-style legislation.

However, over the last few years, GDPR has become a standard - and has changed the way companies talk about privacy. Impacting everything from policy and legal considerations to product design to operational processes. Thanks to GDPR, consumer and employee privacy protections have been normalized throughout the global corporate world.

Two factor authentication is not required but preferred for accessing systems that process personal data, per the guideline issued by ENISA - the European Union Agency for Network and Information Security - which advises member states and private sector organizations in implementing EU legislation. However, given the current state of multi factor authentication which can be easily breached, we highly recommend that the organization should leapfrog and move toward a tighter authentication with invisible MFA and eliminate passwords."


Alastair Parr, SVP of Global Products & Delivery, Prevalent Inc.

"As it celebrates its fifth year driving positive change, GDPR continues to impact the practice of third-party management with its treatment of privacy as a core requirement. To this end, privacy teams are operating in lockstep with procurement and information security teams, ensuring that GDPR obligations are specified and tracked throughout the third-party lifecycle. Accordingly, we expect businesses to become better at tracking non-conformities within their extended enterprises.

As well, we see that organizations are beginning to see data privacy obligations as a global expectation, not just a requirement of their EU operations. For example, CCPA, the DPA 2018, and PIPEDA all bear a strong similarity to GDPR, reinforcing the perception that it set the precedent for what good data protection practice looks like for consumers and businesses alike." 


Rick Hanson, President at Delinea

“I’ve been in the cyber community since the mid-90s, and one consistency over the years is that personal data has always been paramount. However, even though the industry often understood what needed to be done to protect personal data, it was frequently deemed to be too costly or complex to implement.

Five years ago, I applauded the EU for taking a stand and providing guidelines and a framework to ensure that personal data and privacy were protected with GDPR. Yet even as this legislation passed and privacy advocates celebrated, many businesses were very concerned due to perceived burdensome and costly efforts that would be required of them to be compliant. Looking back on this anniversary, I am very encouraged that the technology community has innovated and evolved to solve many of these issues and challenges quickly. My belief is that it sets a solid foundation that the rest of the world can follow as we continuously work to protect our personal data and privacy.

We have come a long way since the early days of cyber and GDPR makes a significant impact, yet it does not solve the cybersecurity threat. It offers a framework that helps classify and protect yet these policies are public, giving any attacker a roadmap on how to circumvent the policy. As good as GDPR policy is, it does not mean our personal data is completely secure. We must continue to educate and innovate to solve these ongoing data privacy and security challenges."


Ojas Rege, General Manager, Privacy & Data Governance Cloud, OneTrust

"The GDPR was a crucial milestone in increasing consumer awareness of privacy and a catalyst for organizations to transform their approach to data. Directly, the GDPR provided a framework for companies to protect personal data and institute controls they may not have prioritized before. Incidentally, consumers became much more aware and interested in privacy and transparency. Today, people are more knowledgeable and confident and hold more power to understand how their personal data is used. They also expect companies to be held accountable for using data irresponsibly, such as personal and sensitive data not being stored correctly or companies failing to collect consent when obtaining data from individuals.

While accountability drives behavior, regulatory enforcement can only go so far in driving accountability. Since the GDPR went into effect five years ago, responsible use of data has become a driver of customer acquisition and retention, shifting privacy from a compliance requirement to a strategic imperative."


Alex Laurie, SVP of Global Sales Engineering, ForgeRock

“Five years since its implementation, GDPR has instilled a sense of trust within the cautious public and changed the way they feel about data generally. The next evolution of this will be to continue building on this positive momentum to give control back to the consumer. Yet, consumers may find it frightening when they realize how much of their personal information is in the public domain, and with the advancement in generative AI, the risk of identity theft and fraud will continue to be security challenges for the foreseeable future.

The future of data privacy will be intrinsically linked to digital wallets and how the nation chooses to embrace digital identities. How we progress will play out with digital wallets because credentials will be linked to documents, such as your passport or driving license, to verify details such as your age. Critically, this information will be managed by the consumer who gets to decide which information is shared with what providers, instead of mass-sharing all of their personal data. This produces a layer of security, as well as convenience.

Ultimately, for digital trust to continue in this positive trajectory, the EU and European organizations need to continue educating citizens and employees how, why and what certain technologies generating data are used for; much like companies asking for permission to store and use personal information following the introduction of GDPR."


Ted Miracco, CEO, Approov Mobile Security
"While no law is perfect, the GDPR regulation was one of the most ground-breaking, necessary, and extremely well crafted pieces of cross-border legislation in recent history. Protection of Personal Data is critical to a well-functioning and open society, and while GDPR didn't stop the abuse of big technology companies, it made the consequences of their actions substantive and many, including Google and most recently Meta have been fined billions of dollars for their abusive handling of Personal Data. Even the definition of "Personal Data" per GDPR, was forward looking in that it cast a wide net, anticipating that tech companies would try bypass the definition to continue to harvest, export and profit by exploiting the data made available to them. The law was both clear and manageable and therefore it has become a framework for many data privacy laws around the world. If you ask if the law has been effective, I will give a resounding "yes", and back it up by the data in a recent Cyber Threats Report on the security of mobile applications, where European based fintech companies outperformed their US counterparts by a significant margin."


Flavio Negrini, security and privacy expert at Kaspersky

"It has been 5 years since the launch of GDPR and this revolutionary data protection regulation has had a profound impact on governments, companies, organizations, and individuals alike. At Kaspersky, we are aware of the importance of data protection laws and join in celebrating this important fifth anniversary. While much progress has been done to data protection processes, we believe that there is still work to be done. I want to highlight two aspects:

Despite the common perception that entities established in the EU, or offering services to EU individuals are fully compliant with the GDPR, the reality shows that there is still room for improvement. As you know, each national data protection authority has a commitment to raise fines to those who violate the GDPR regulation. Based on information published by the CMS.Law GDPR Enforcement Tracker, which analyzes publicly reported, reveals a consistent increase in the total number of sanctions imposed each year. Since its introduction in 2018, the GDPR has resulted in fines totaling around EUR 2.77 billion. The number of fines has reached 1576 since the beginning of GDPR enforcement until 1st March 2023.

The most common reasons for raising fines in 2022 are, in order, Insufficient legal basis for data processing (29.2%), Non-compliance with general data processing principles (27.2%) and Insufficient technical and organizational measures to ensure information security (15.9%). We at Kaspersky are very concerned about the latter percentage and would like to emphasize that organizations and companies must remember that GDPR is a standard that can't replace a robust multi-layer security strategy. Finally, from a strictly data breach perspective, this is partly good news. There have been raised just 5 fines for insufficient fulfilment of data breach notification obligations. That means in the event of an incident, transparency in informing users is relatively good. Mind you, on the other side it does not mean that data breaches are few, as we revealed here.

I wish a happy fifth GDPR anniversary and I sincerely hope that the EU and the rest of the world will continue to demonstrate unwavering determination in safeguarding and advancing user’s digital rights."


Andy Teichholz - Global Strategist, Compliance & Legal, OpenText

"After half a decade of GDPR, businesses are facing a different world when it comes to managing personal data. One of the biggest topics in many industries right now is the growing demand for transparency and accountability from a more knowledgeable consumer base.

While fines can be staggering (we are approaching a little more than 1,600 individual fines totaling almost three billion euros for GDPR violations), reputational management and competitive differentiation are still driving boardroom conversations and informing the investments they make in terms of data management technology.

Technology is advancing and there are powerful options to improve data compliance and transparency. Tools like AI and machine learning can help companies assess, categorize, manage and protect all data appropriately throughout its lifecycle.  Also, while subject rights requests, especially Data Subject Access Request (DSARs), are becoming more commonplace, many organizational fulfillment activities today still rely on manual processes that overwhelm their already constrained resources. To meet mandated deadlines, teams are leveraging information retrieval technologies including eDiscovery tools (with their advanced analytics, review, redaction, and production capabilities) to automate and accelerate the fulfillment process – especially for high effort requests.

With technology innovation, a much stronger data privacy strategy can help operationalize key privacy processes, guard against GDPR breach and build more trusting customer relationships. At a time when customer trust in businesses is fragile, we should use the anniversary of GDPR to reflect on how we can build better, more integrated data management strategies for the next half decade and beyond."


Published Thursday, May 25, 2023 7:30 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2023>