Tick tock. It has officially been a year since the EU’s General Data Protection Regulation – or GDPR – went into effect on May 25, 2018. Has it been a success? Some naysayers believe not, using criteria such as the small number of fines that have been levied (most notably a €50 million judgement imposed on Google by CNIL, the French data protection authority). Granted, these are baby steps. But if we look at the big picture to see where GDPR is headed and the ripple effect that it is having on data privacy laws around the world, we can see that it has actually been a remarkably successful catalyst for awareness, dialogue and change. With that in mind, let’s take a quick look at where GDPR has taken us, and see if we can identify some takeaways from the first year of its implementation.
Many companies (somewhat justifiably) faced GDPR’s implementation with a certain level of skepticism. The regulations were initially criticized for creating a wedge between organizations’ ability to control the customer experience. Fortunately, the heightened awareness about data security and the power of consent have actually given consumers more confidence in the use of their personally identifiable information (PII).
From an enforcement perspective, EU authorities reported 206,326 potential violations to the European Data Protection Board in the first year of GDPR. It’s unlikely that many of these cases will be investigated. But keep in mind that the regulations and investigative mechanisms are new for everybody involved, including the regulators, so finding a balance around enforcement will naturally take time.
Despite the fact that companies had several years to prepare for GDPR’s implementation, the reality even today is that most of them are actually nowhere near being fully compliant, as highlighted in an article by Warwick Ashford at ComputerWeekly. In that article, Stewart Room from PricewaterhouseCoopers (PwC) brings up an intriguing point – that instead of focusing exclusively on legal compliance, the EU has an additional responsibility to provide organizations with tools to help them change their business models and processes to enable better personal data protection, and therefore compliance.
Meeting Compliance ≠ Being Secure
In the midst of this juggling act to be compliant with GDPR – which is undeniably a positive thing for everyone – it’s also important to remember that GDPR is a moving target and not a final destination. Just like digital transformation efforts, GDPR preparedness doesn’t have a well-defined finish line. In fact, it’s more accurate to say that there is no end point at all.
The good news is that most companies are now taking meaningful steps to question the user data and PII that they collect. This is an important distinction to make because companies have traditionally tried to collect as much user data as possible under the guise of improving user experience or targeting advertising more effectively. Under the new rules they’re more likely to collect only the data that they genuinely need in order to maintain a relationship.
As Joe O’Reilly pointed out in an IT Pro Portal post:
The GDPR has shone a spotlight on an organisation’s disparate internal data, and made organisations unify the large quantities of information into a single view. With a better view of the customer journey, including where, when, how and why they’re communicating with a brand, organisations are better analysing this information and using the insights to drive more personalised customer experience strategies that are of benefit to the customer.
One of the most onerous parts of the GDPR is found in Article 33, which states:
… in the event of a personal data breach, data controllers notify the appropriate supervisory authority “without undue delay and, where, feasible, not later than 72 hours after having become aware of it.
For many companies, the sheer volume of low- and high-risk attacks can easily reach the hundreds every day, making it impractical for security teams to investigate all but the most obvious incidents. For that reason, the burden of discovering any breaches that have compromised personal data, and then notifying authorities within 72 hours, is a mammoth undertaking. Closing this enormous gap will require different technologies and processes to capture actionable information about every attack, together with the ability to rapidly isolate root cause.
The big takeaway is that, in general, companies exposed to the GDPR have moved towards beefing up their cybersecurity capabilities. That includes faster incident response, root-cause analysis and reporting, as well as being more cautious about where and how data is stored, how it is processed, and who has access to it.
GDPR is a Global Wake-up Call
To the casual observer, GDPR may seem like a collection of distant regulations that only impact EU citizens and the tech companies that have business there. The reality is that many countries around the world are looking at GDPR as a framework for new laws that will considerably raise the stakes for data protection best practices.
On a corporate level, too, powerhouse technology companies such as Apple and Microsoft have already committed to extend GDPR privacy protections to their global customer base. However, rather than approach this on an individual company basis, there is a groundswell of support in favor of the US congress enacting broad privacy laws modeled on the best of GDPR. Not willing to wait for the federal government, California is already moving ahead with its own California Consumer Privacy Act, which is scheduled to go into effect on January 1, 2020.
Common Sense Advice
With all of that in mind, let’s close out with some relatively simple, practical tips for companies (and individuals) to consider when trying to improve data security and reduce the risk of damaging breaches. As with most things in life, prevention is far better than cure.
- Conduct regular audits to track where data traffic is going – both from the corporate office and from mobile devices used in the field.
- Understand what data your apps are consuming, saving and sharing; you may be surprised where your data is ending up.
- Understand that the organizations may be financially liable for any damage caused due to loss or theft of PII on work-assigned devices.
- Finally, a fun fact: 62 percent of people reuse the same passwords for personal and work accounts. Think about the implications. Even one piece of compromised PII from Snapchat, Instagram, et cetera, may be the only thing a bad actor needs in order to gain access to company data. Never underestimate the value of training employees about risk mitigation and basic security precautions.