May 25 marks four years since the introduction of GDPR, a law that completely transformed how organizations collect, store and protect user data. We heard from cybersecurity and privacy experts on how GDPR impacted the industry and their current thoughts on the law today and how it might impact the future.
Joseph Carson, Chief Security Scientist and Advisory CISO, Delinea
“As we approach the fourth anniversary of EU GDPR, it is a time to reflect on how this privacy law has changed the cyber landscape over the last several years. Since its introduction, GDPR has continually forced organizations to better evaluate how they store and collect user data while simultaneously requiring organizations to implement stronger security controls to protect and secure any data they do collect from potential exploits. While the GDPR law has without doubt given citizens more control over how their data is collected and processed, it has also presented opportunities to cybercriminals who have also adapted their methods and techniques, specifically through ransomware attacks. Ransomware attacks continue to cause ripple effects throughout the industry and cybercriminals now utilize potential GDPR violations as a means of forcing an organization to pay their hefty ransom demands to avoid GDPR fines and other reputational losses. An astonishing 83% of organizations admit to paying ransom demands, according to recent research.
While GDPR did force organizations to somewhat improve their security posture, it has not stopped cybercriminals from being successful. Organizations must remember that GDPR is only a standard and cannot supplement a robust security strategy, one that incorporates strong privileged access control, automated threat detection and response, zero trust principles and a security first company culture.”
James Wilde, Global Head of Security Strategy, SPHERE
“2021 was a significant year for GDPR fines, and it really demonstrated the bite which GDPR has. Two of the largest fines to date were Amazon Europe (746m euros) and WhatsApp Ireland (225m euros). When you consider that in 2018 the total of all fines combined was 436,000 euros, we can see the strong stance regulators are taking towards data privacy and the significant risks firms are exposed to going forward.
Following the introduction of GDPR, there has been a rapid increase in the volume of similar initiatives passed by regulators focused on protecting personal data. Whilst similar in nature, there are plenty of nuances which present a concern for organisations working across multiple jurisdictions. Just a few examples include GDPR in Europe, PIPL in China, CCPA in California and POPI in South Africa, among many others.”
Mike Parkin, Senior Engineer, Vulcan Cyber
“When GDPR (General Data Protection Regulation) was first introduced, individuals gained enhanced privacy and received much more control over their personal data. The flip side was organizations needing to do a great deal of work to implement the requirements imposed by the new standards. The reach also extended beyond Europe as many companies doing business worldwide were required to comply if they wanted to continue doing business in the EU.
Now, four years on, most organizations have learned how to comply and ordinary citizens have seen the benefits. While it does impose some extra costs of doing business, and some business models are impacted by needing to give users greater privacy and control, there are dividends in security and customer confidence that should outweigh the costs. The question remains as to how far beyond the European Union the GDPR model will extend, and whether other countries will follow suit to improve their citizen’s privacy and personal security.”
Steve Bakewell, Managing Director EMEA, NetSPI
“On the fourth anniversary of the GDPR, it's fair to say the legislation has impacted both consumers and companies alike. Consumers are more aware of the value of their personal data and how companies collect and use it, which is increasingly informing the choices they make as well as the brands and services they trust. Data breach notification rules have increased transparency and cookie warnings are everywhere, yet remain inconsistent. This lack of consistency is being addressed by the EU within it's wider ePR update, which serves as an example that regulations tend to change over time.
Companies have done a lot of work to bring their systems and processes inline with the GDPR, but it is a continuous exercise. In the same way regulations change, so does technology. For example, the increasing uptake in cloud services has resulted in more data, including personal data, being collected, stored and processed in the cloud.
Moving forward, companies should be confident they have mapped out the data lifecycle for the organisation, including what it is, where it is, how it is collected, stored, processed and deleted. Understand and implement both privacy and security requirements in systems handling the data, then test accordingly across all systems, on-prem, cloud, operational technology, and even physical, to validate controls are effective and risks are correctly managed.”
David Friend, co-founder and CEO, Wasabi Technologies
“Now four years into the launch of GDPR, organizations must take action to both replicate their data across data centers in different countries and secure their encryption keys. While it is clear that the regulation has been fairly effective in keeping data within European borders thus far, other external influences such as international conflict and cyber criminals becoming more sophisticated are now throwing GDPR, and data privacy in general, through another loop. No one knows what the geopolitical atmosphere will be like or how cyber crime will have evolved in, say, five years, and organizations do not want to end up in a situation where their data access is cut off as a result of war, ransomware, or other cyber threats. Therefore, effective data replication and encryption practices are more critical than ever.”
Stephen Cavey, co-founder and chief evangelist, Ground Labs
“The GDPR is the most significant privacy legislation that organizations globally have faced. The regulations have significantly raised the bar in how organizations are held accountable for their personal data collection and handling practices with fines for violations surpassing double-digits. Likewise, it has forced organizations to better understand how their customers' data is collected, where it is stored, and whether they are selling it to third parties. Furthermore, under the GDPR organizations that collect and handle personal information must prepare for individuals to invoke their right to opt-out of data sharing practices or request their data to be removed (forgotten).
Since its inception in 2018, we have gained valuable insight into how the GDPR is being enforced. One discrepancy, though, is the impact on large and small businesses. Large businesses can handle the challenges of privacy, security and regulation compliance because they have access to the resources and can implement functions to address these regulatory requirements. In a smaller organization, this is not the case. Small businesses have to rely on outsourcing to fix the problem, which can be costly and time-consuming.
Data protection is a journey, not a destination. As these regulations grow in scale and complexity, organizations of all sizes will continue exploring ways to meet these requirements without hindering business success.”
Robert Former, CISO and VP of Security at Acquia
“GDPR forced the world to think about privacy in technology and how to build future technology that meets what GDPR requires. Companies have learned that when it comes to regulatory and compliance matters, paying attention after it’s too late can quite literally cost them everything. So, GDPR has also forced companies to take security seriously. There is no such thing as too much security and it’s important for companies to be sharply aware of their data i.e., what data you have and need versus what’s not necessary as well as understanding the controls legally required to accompany that data.
As we trend toward a data environment that’s increasingly regulated, bringing security into C-suite discussions becomes even more critical. We are out of the honeymoon phase, next is more enforcement.”
Kostas Pardalis, Group Product Manager at Starburst
“The way we treated data privacy yesterday is not how we’re supposed to treat it today and certainly not how it will be treated in the future. Now that it has been four years since GDPR was introduced, we are reminded of the many ways it has impacted companies and end-users alike. For example, GDPR has made internet users much more aware of data privacy issues, which is a good thing; however, it has also introduced cookie consent forms on websites that ultimately hinder user experiences.
Companies, legislators and societies are constantly learning and adapting to new technologies and challenges that make data sovereignty compliance a complicated task. As organizations look to meet the demand for data sovereignty, we first need to do a lot of work on delivering data infrastructure that is "sovereignty" aware and to make that possible, multi-cloud deployments and federation need to become the standard.
Data privacy trends are constantly evolving but I don’t anticipate them slowing down anytime soon. If anything, I expect an acceleration in enforcing data sovereignty as the prospect of U.S. regulation becomes more likely due to both the geopolitical and social environments.”
Moritz Plassnig, Chief Growth Officer at Immuta
“It is clear that, with GDPR, the EU is leading the charge when it comes to data privacy regulations. While GDPR is a regulation in EU law, we’ve seen its influence spur other countries and regions, such as California with its CCPA legislation, to follow suit. Furthermore, nearly every business is global in today’s digital environment. With the click of a button, a business could find themselves with users or customers in other geographies. But as globalization continues to mature, and more states, regions and countries adopt their own data privacy regulations, it will be critical to ensure that innovation is not stifled in the process.
GDPR is powerful from a privacy and national security perspective, but its stringent requirements can hinder competition and innovation, especially for startups and small businesses. Unlike for larger enterprises that have the resources - think lawyers and internal compliance teams - to ensure they are adhering to the guidelines, for these organizations, navigating the regulatory waters and remaining compliant at an early stage is far more difficult and costly. As other governing bodies roll out their own regulations, establishing the right balance of data privacy without sacrificing innovation will be key to establishing effective data privacy laws.”