Today marks the 3rd anniversary of the implementation of the European Union’s landmark General Data Protection Regulation (GDPR). Since its inception, the legislation has become a standard model for nations across the world considering the creation of their own data protection laws; measures which continue to grow in popularity around the world as individuals are increasingly concerned with the privacy and security of their personal data.
While the GDPR has been seen by many as a positive step, most agree that there is still significant work to be done in both the private and public sector if we are to achieve true data protection. Below, industry experts offer their thoughts on the significance of the GDPR, the challenges associated with data privacy and protection, and how organizations, governments, and individuals alike can work to address these issues moving forward.
Declan Dickens, Senior Manager, Northern Europe, Checkmarx:
“Three years ago, the General Data Protection Regulation (GDPR) came into effect, heralding a new wave of privacy and security reform throughout Europe. While debates carry on about the true effectiveness of GDPR, one thing that’s been clear is that it has forced organizations, consumers, and legislatures alike to take notice of privacy – which is a positive in itself.
With that said, there is still a lot of work to be done when it comes to widespread action and accountability surrounding data privacy. A new report noted that over 661 fines have been issued since GDPR became enforceable, totalling €292 million – a concerning number. It’s important that both lawmakers and organizations don’t become complacent in this critical effort. Issues surrounding fragmentation and gray areas still exist with the GDPR, which continue to create a variety of problems. GDPR, and data privacy protections more broadly, should be a living, breathing initiative, being consistently updated to reflect changes in end user needs, evolutions in regulatory requirements, and more.
Organizations that develop applications in particular must ensure they’re aligning with the GDPR requirements. The articles relating to this (25, 32, 33, 34 and 35) reaffirm the steps needed when securing data flowing through applications, in addition to what needs to be done in the event of a data breach. For those looking to remain compliant, we suggest they first follow the ‘privacy/security by design’ rule – ensuring data security and privacy are considered during the planning stage of any product or solution, as opposed to during development – to safeguard data from attackers by default. For existing operations, organizations need to work to discover any weak points in how data flow is processed and handled by performing gap analysis to find what works and what needs to be worked on or removed. Finally, organizations should make a habit of ‘spring cleaning’ to remove any data that is no longer needed. Only by following these critical steps, can they hope to position themselves in the most agile and resilient way to avoid hefty fines, and more importantly, protect data privacy.”
Neil Thacker, EMEA CISO, Netskope:
"On the 3rd anniversary since the General Data Protection Regulation (GDPR) came into effect, we recognize the continued problem of the use of unmanaged cloud applications and services whilst adhering to the regulation. One of the most underestimated compliance challenges that organizations face under the GDPR is the fact that many - if not most - personal data records, for which the organization is legally responsible, are processed using cloud applications and services not traditionally owned or made visible to the IT or the security team. Also, unstructured personal data is created by the workforce – often unsupervised – using productivity or collaboration applications. This data is pervasive across mobile devices and shared with others through unmanaged applications and cloud storage locations, which are outside the organization’s direct control. The pandemic-fueled explosion of data in 2020 and a Work-From-Anywhere (WFA) trend involving Bring Your Own Device (BYOD) usage has only exacerbated this problem.
Nevertheless, under the GDPR regulation, it is always the organization’s legal responsibility to protect such data from loss, alteration, or unauthorized processing, even if workers use cloud services that are not pre-approved or controlled by the organization. This means that organizations must know which personal data records are processed by users of cloud services; identify the cloud applications used by the organization’s workforce; prevent personal data from being stored or processed in unmanaged cloud services; and continue to protect personal data when stored or processed in cloud services.
Failure to manage non-approved cloud services may leave the organization at serious risk, from both a legal perspective and from a business continuity and reputational perspective. CIOs and CISOs must therefore pay close attention to this issue and implement measures to bring such cloud services under the visibility and control of the organization. Trusted frameworks and platforms, such as Secure Access Service Edge (SASE), help not only to future-proof an organization’s cloud strategy but do so with security, privacy, and compliance with regulations, such as the GDPR, at the forefront."
Jennifer Glasgow, EVP, Policy & Compliance, First Orion:
"We are approaching the third anniversary of the enactment of GDPR (General Data Protection Regulation). While originally intended to protect the information of EU residents, we’ve seen GDPR become the model for privacy and data protection legislation on a global scale. We are global citizens, and so too is our information. No matter where an organization is based, we must ensure that all cross-border-data transfers don’t weaken protection of personal data. Once GDPR was rolled out in Europe, we saw elements of GDPR come into play in the U.S., with CCPA (California Consumer Privacy Act) and in other countries around the world. We are also beginning to understand the law’s weaknesses. Global dialogues suggest that a stronger accountability-based approach allows more innovation with data, something business and government alike want. As many U.S. states pass privacy laws and pressure rises for a single federal standard, 2021 will be a pivotal year in the U.S., the EU, and around the world in the evolution of privacy and data protection laws. It remains to be seen if we can break some glass and take the big leap to a different construct that protects individuals while encouraging innovation with data.”
Stephen Cavey, Co-founder and Chief Evangelist, Ground Labs:
“Since GDPR’s inception in 2018, the regulation has had a global impact on data compliance, sparking similar efforts from other countries to create their own legislation to better protect their citizens. These regulations have effectively increased transparency, given consumers the ability to opt-out of data sharing practices, and held businesses accountable for the personal data they hold. In addition to other compliance regulations like CCPA, we anticipate to see even more global data protection laws from all regions in the near future, including those from China and South Africa.
However, challenges arise as more and more data is generated and more people are conducting their day-to-day activities from the comfort of their homes and personal devices. This makes GDPR arguably more relevant now than it has ever been. As these regulations grow in scale and complexity and fines for violations and non-compliance continue to see double-digit growth, organizations are exploring ways to meet these requirements without hindering business success. Forward-thinking organizations are deploying solutions and processes that will allow them to address security using a common, data-driven approach depire any variances in regulation that each of these emerging laws brings. I also believe we may see businesses adopting protections as a unique selling point in years to come. Take for example, Apple’s recent iOS 14.5 update, which gave users ultimate control over data collection on their iPhones and translated into a ‘Privacy. That’s iPhone.’ marketing campaign.”