Since May 25, 2018, on which GDPR became enforceable, in the 28 countries of the European Union (EU), the GDPR has set up significant new standards for privacy all over the world. So, what has happened this past year?
I’d say that privacy has come of age – from an area that was not a major issue for many people – a lot of the world has started to understand both the power that can be wielded by people misusing personal data and the financial weight of data – and this has resulted in companies taking privacy more seriously.
GDPR implementation has had a very positive and notable impact on the data handling of most companies. In conversations I’ve had, GDPR has quickly moved from an upcoming issue to a common background to every discussion and implementation of technology. It is interesting how many other jurisdictions have now passed – or have underway – laws that take a similar overall stance to GDPR (the user owns their own data and has rights over it) from the California Consumer Privacy Act and Brazil’s LGPD to public statements from powerful leaders like Mark Zuckerberg endorsing GDPR as a common framework. It’s clear that privacy is being taken seriously.
Consumer interest and understanding of privacy issues has certainly increased, partly due to the regular announcements of data loss incidents. Last year’s data breaches from British Airways and Marriott are currently being investigated by EU regulators. Some people have asked “but how much have the fines been?” – it takes time for regulators to investigate all aspects of an incident, but the first enforcement actions have been taken, and include for instance in France a €50m against Google.
The revelations around Cambridge Analytica using sophisticated voter targeting and the enquiries into Facebook’s data methods has resulted in government enquiries, new announcements and Facebook losing European customers.
Increased press coverage. Just one issue of The New York Times (15th April 2019) had three different articles covering different areas of privacy – “Panic Time About Who is Watching” discussing Internet of Things (IoT) surveillance “If Google can follow you, so can the police” discussing the number of requests police forces are making for geo-location data of phones when investigating crimes, and “We’re not going to take it anymore” discussing the rise of the surveillance state.
One of the overlooked areas of the GDPR is that it mandates the regulators actions, ensuring similar treatment in each of the countries. Before GDPR some countries had data protection laws but rarely enforced them, but now we are seeing enforcement actions across the region. As an example, Poland issued its first enforcement action.
One area originally overlooked by many people when GDPR was being written about has grown in importance, the requirement of Privacy by Design and Privacy by Default (Article 25). This is great news as adding privacy after the fact is so much more difficult – and companies that build in privacy throughout their processes and systems are to be applauded.
I believe that there are still grey areas around the phrase “legitimate interests” and whether an organization can use this to justify many types of data collection and use – I expect a few rulings or clarifications in the next year to make this clearer despite the European Data Protection Board (EDPB) guidelines issued last April 25 on the matter.
However, the threat landscape is constantly developing, and recent data breaches have reinforced the notion that all organisations have always got targets firmly on their backs. Yet even one year after the EU GDPR came into force, we are still seeing businesses struggle to be more secure and transparent with their data. The regulation emphasises that, though the data controllers needs to make sure it uses sub-processors having sufficient guarantees, the data controller is nevertheless responsible for its own share of fault, even when data is outsourced, shared or stored in cloud services . Yet Information Technology (IT) cannot protect what it does not know exists – and data visibility issues are still a thorn in many a company’s side. For instance, our recent research revealed that the average enterprise uses 1,935 distinct cloud services, yet most organisations think they use around 30.2
As cloud adoption continues, many businesses still need to get a clear picture of where their data is being stored, used and shared by employees before they can implement the right policies and processes to achieve GDPR compliance. When managed correctly, the cloud can be the most secure environment for the enterprise – but first organisations must gain complete visibility into data, context, and user behaviour across all cloud services, users, and devices. Without this visibility, GDPR compliance will remain out of reach for these businesses. Risks are constantly changing, and one where IT security teams need more control is cloud. Sadly, data losses via poorly configured cloud computing are regular – such as April 2019’s Facebook data loss via AWS.