GDPR Turns 3 Years Old: Here's How It's Going

Today marks the 3rd anniversary of the implementation of the European Union’s landmark General Data Protection Regulation (GDPR). Since its inception, the legislation has become a standard model for nations across the world considering the creation of their own data protection laws; measures which continue to grow in popularity around the world as individuals are increasingly concerned with the privacy and security of their personal data.

While the GDPR has been seen by many as a positive step, most agree that there is still significant work to be done in both the private and public sector if we are to achieve true data protection. Below, industry experts offer their thoughts on the significance of the GDPR, the challenges associated with data privacy and protection, and how organizations, governments, and individuals alike can work to address these issues moving forward.

Declan Dickens, Senior Manager, Northern Europe, Checkmarx:

“Three years ago, the General Data Protection Regulation (GDPR) came into effect, heralding a new wave of privacy and security reform throughout Europe. While debates carry on about the true effectiveness of GDPR, one thing that’s been clear is that it has forced organizations, consumers, and legislatures alike to take notice of privacy – which is a positive in itself.

With that said, there is still a lot of work to be done when it comes to widespread action and accountability surrounding data privacy. A new report noted that over 661 fines have been issued since GDPR became enforceable, totalling €292 million – a concerning number. It’s important that both lawmakers and organizations don’t become complacent in this critical effort. Issues surrounding fragmentation and gray areas still exist with the GDPR, which continue to create a variety of problems. GDPR, and data privacy protections more broadly, should be a living, breathing initiative, being consistently updated to reflect changes in end user needs, evolutions in regulatory requirements, and more.

Organizations that develop applications in particular must ensure they’re aligning with the GDPR requirements. The articles relating to this (25, 32, 33, 34 and 35) reaffirm the steps needed when securing data flowing through applications, in addition to what needs to be done in the event of a data breach. For those looking to remain compliant, we suggest they first follow the ‘privacy/security by design’ rule – ensuring data security and privacy are considered during the planning stage of any product or solution, as opposed to during development – to safeguard data from attackers by default. For existing operations, organizations need to work to discover any weak points in how data flow is processed and handled by performing gap analysis to find what works and what needs to be worked on or removed. Finally, organizations should make a habit of ‘spring cleaning’ to remove any data that is no longer needed. Only by following these critical steps, can they hope to position themselves in the most agile and resilient way to avoid hefty fines, and more importantly, protect data privacy.”