It’s been four years since the European General Data Protection Regulation (GDPR) went into effect on May 25, 2018 and replaced the Data Protection Directive.
Designed to increase data privacy and data protection efforts, the GDPR is one of the toughest privacy and security laws in the world. The regulation imposes obligations onto organizations anywhere, as long as they target or collect data related to people in the EU, and exercises its right to administer harsh fines against those who violate its privacy and security standards.
GDPR regulators have been busy issuing hundreds of fines to companies. In the last four years, penalties have reached the tens of millions of euros. The French data protection agency, for example, fined Google a record $57 million fine. Amazon’s GDPR fine, announced in the company’s July 2021 earnings report, is nearly 15 times bigger than Google’s record fine, at $877 million. Since the GDPR took effect, Tessian has seen more than 900 fines issued across Europe and the U.K.
The GDPR has also inspired several other regulations, from Brazil’s Lei Geral de Proteção de Dados (LGPD) to the California Consumer Protection Act (CCPA). In recent months, the state of Utah passed the Utah Consumer Privacy Act, and currently, 22 states, including California, Colorado, Virginia, Hawaii, Massachusetts, and New Jersey, have consumer privacy legislation pending.
Despite costly fines and an increasingly-regulated environment, organizations of all sizes are not fully prepared for compliance with privacy and data protection regulations. Recent data by CYTRIO on the state of compliance with the CCPA, California Privacy Rights Act (CPRA) and the GDPR shows that as of March 31, 2022, 90% of companies surveyed are not fully compliant with the CCPA and CPRA Data Subject Access Request (DSAR) requirements, and 95% of companies are using error-prone and time consuming manual processes for GDPR DSAR requirements.
Here, security leaders offer their perspectives on how the GDPR has played an instrumental role in the development of similar data protection regulations, its impact and more.
Dale Waterman, Managing Director at Breakwater Solutions: The GDPR has played an instrumental role in the development of worldwide privacy regulation. GDPR is the major driving force in the global data protection landscape of an increasingly digitally connected world. The fundamental impact of GDPR over the past four years has been a growing expectation of data protection and privacy by people, organizations, and governments.
The focus on requirements, like informed consent and data subject rights and the visibility around high-profile data breaches, has created a new collective consciousness that has real concerns with how personal data is being collected, used, shared, and protected, particularly by governments and larger organizations. These new citizen, consumer, and partner demands, combined with a better understanding by governments of the value of personal data as a national asset, has seen a tidal wave of GDPR-inspired regulations implemented (or planned) across the world.
There are notable examples in major economies like California, Brazil, and China, but we’ve also seen major developments in almost every country across regions like the Middle East and Africa. These positive developments will continue to gather speed over the next 12 months. In my opinion, we will move from an initial emphasis on transparency and consent in regions like the Middle East towards a focus on the operationalization of data privacy programs and the implementation of controls that enhance security and mitigate the risk of breaches. We will also likely begin to see a double-click on cross-border data transfers beyond the US/EU context, an increase in enforcement messaging and activity by maturing supervisory authorities, and a shift in the GDPR’s Data Protection Officer role from an initial compliance obligation appointment to someone who becomes much more of a strategic resource working closely with both business and leadership teams.
Joseph Carson, Chief Security Scientist and Advisory CISO, Delinea: As we approach the fourth anniversary of EU GDPR, it is a time to reflect on how this privacy law has changed the cyber landscape over the last several years. Since its introduction, GDPR has continually forced organizations to better evaluate how they store and collect user data while simultaneously requiring organizations to implement stronger security controls to protect and secure any data they collect from potential exploits. While the GDPR law has without a doubt given citizens more control over how their data is collected and processed, it has also presented opportunities to cybercriminals who have also adapted their methods and techniques, specifically through ransomware attacks. Ransomware attacks continue to cause ripple effects throughout the industry, and cybercriminals now utilize potential GDPR violations as a means of forcing an organization to pay their hefty ransom demands to avoid GDPR fines and other reputational losses. An astonishing 83% of organizations admit to paying ransom demands, according to recent research.
While GDPR did force organizations to somewhat improve their security posture, it has not stopped cybercriminals from being successful. Organizations must remember that GDPR is only a standard and cannot supplement a robust security strategy, one that incorporates strong privileged access control, automated threat detection and response, zero trust principles and a security-first company culture.”
James Wilde, Global Head of Security Strategy, SPHERE: 2021 was a significant year for GDPR fines, and it really demonstrated the bite which GDPR has. Two of the largest fines to date were Amazon Europe (746m euros) and WhatsApp Ireland (225m euros). When you consider that in 2018 the total of all fines combined was 436,000 euros, we can see the strong stance regulators are taking towards data privacy and the significant risks firms are exposed to going forward. Following the introduction of GDPR, there has been a rapid increase in the volume of similar initiatives passed by regulators focused on protecting personal data. While similar in nature, there are plenty of nuances which present a concern for organizations working across multiple jurisdictions. Just a few examples include GDPR in Europe, PIPL in China, CCPA in California and POPI in South Africa, among many others.
Mike Parkin, Senior Engineer, Vulcan Cyber: When GDPR (General Data Protection Regulation) was first introduced, individuals gained enhanced privacy and received much more control over their personal data. The flip side was organizations needing to do a great deal of work to implement the requirements imposed by the new standards. The reach also extended beyond Europe as many companies doing business worldwide were required to comply if they wanted to continue doing business in the EU.
Now, four years on, most organizations have learned how to comply, and ordinary citizens have seen the benefits. While it does impose some extra costs of doing business, and some business models are impacted by needing to give users greater privacy and control, there are dividends in security and customer confidence that should outweigh the costs. The question remains as to how far beyond the European Union the GDPR model will extend, and whether other countries will follow suit to improve their citizen’s privacy and personal security.
Heather Federman, the Chief Privacy Officer at BigID: I disagree with the sentiment — that GDPR is ‘failing.’ It takes time for regulators to enforce such regulations. Given the one-stop-shop model, there are many kinks to work out. We still have just scratched the surface of this regulation’s direct and indirect impacts, with some of the impacts being a massive increase in privacy practitioners to general consumer awareness to ‘copy’ GDPR laws in other regions. Additionally, more organizations are trying to do the right thing when it comes to data.