GDPR Three Years Later: The Y2K of the 2020s?

GDPR Three Years Later- The Y2K of the 2020s? Featuring insights from industry experts

The editors at Solutions Review, as well as industry experts, reflect on the impact and effects of GDPR three years after it passed.

Today is the three-year anniversary of GDPR passing. Before the regulation was implemented on May 25th, 2018, IT professionals were clambering to ensure their organizations were compliant with the new regulations in order to avoid the steep fines they could potentially incur if they weren’t careful. The panic induced in the period between GDPR being announced and going into effect was reminiscent of the anxiety surrounding Y2K, but was it more justifiable? Experts in the data privacy and protection industries provided Solutions Review with their commentary on where we stand, as well as how to continue complying with GDPR in a post-pandemic world. To provide more context, let’s look at what some of the regulations of GDPR are, before getting into the commentary from the experts.

Many organizations choose to outsource their backup solutions. While this is possible, it’s only a small step in achieving full GDPR compliance. Because this outsourced solution provider will be managing your data, they fall under the term, “data processor”, which in turn means they will be responsible to comply with GDPR as well. 

Additionally, It’s absolutely critical that your backup provider tests the effectiveness of their solution on a regular basis. Before signing an agreement with a backup solution, you should consider making sure that the provider holds some Cyber Essentials Security accreditation. If backups are not already automated, it may be a good idea to increase the frequency to keep in line with your live data. Because GDPR requires that organizations have access to the most current data, frequent and regular backups are incredibly important.

Jennifer Glasgow, EVP, Policy & Compliance, First Orion

“We are approaching the third anniversary of the enactment of GDPR (General Data Protection Regulation). While originally intended to protect the information of EU residents, we’ve seen GDPR become the model for privacy and data protection legislation on a global scale. We are global citizens, and so too is our information. No matter where an organization is based, we must ensure that all cross-border data transfers don’t weaken the protection of personal data. Once GDPR was rolled out in Europe, we saw elements of GDPR come into play in the U.S., with CCPA (California Consumer Privacy Act) and in other countries around the world. We are also beginning to understand the law’s weaknesses.

Global dialogues suggest that a stronger accountability-based approach allows more innovation with data, something businesses and governments alike want. As many U.S. states pass privacy laws and pressure rises for a single federal standard, 2021 will be a pivotal year in the U.S., the EU, and around the world in the evolution of privacy and data protection laws. It remains to be seen if we can break some glass and take the big leap to a different construct that protects individuals while encouraging innovation with data.” 

Stephen Cavey, Co-founder and Chief Evangelist, Ground Labs

Since GDPR’s inception in 2018, the regulation has had a global impact on data compliance, sparking similar efforts from other countries to create their own legislation to better protect their citizens. These regulations have effectively increased transparency, given consumers the ability to opt-out of data sharing practices, and held businesses accountable for the personal data they hold. In addition to other compliance regulations like CCPA, we anticipate seeing even more global data protection laws from all regions in the near future, including those from China and South Africa.

However, challenges arise as more and more data is generated and more people are conducting their day-to-day activities from the comfort of their homes and personal devices. This makes GDPR arguably more relevant now than it has ever been. As these regulations grow in scale and complexity and fines for violations and non-compliance continue to see double-digit growth, organizations are exploring ways to meet these requirements without hindering business success. Forward-thinking organizations are deploying solutions and processes that will allow them to address security using a common, data-driven approach despite any variances in regulation that each of these emerging laws brings. I also believe we may see businesses adopting protections as a unique selling point in years to come. Take, for example, Apple’s recent iOS 14.5 update, which gave users ultimate control over data collection on their iPhones and translated into a ‘Privacy. That’s iPhone.’ marketing campaign.”

Declan Dickens, Senior Manager, Northern Europe, Checkmarx

“Three years ago, the General Data Protection Regulation (GDPR) came into effect, heralding a new wave of privacy and security reform throughout Europe. While debates carry on about the true effectiveness of GDPR, one thing that’s been clear is that it has forced organizations, consumers, and legislatures alike to take notice of privacy – which is a positive in itself.

With that said, there is still a lot of work to be done when it comes to widespread action and accountability surrounding data privacy. A new report noted that over 661 fines have been issued since GDPR became enforceable, totaling €292 million – a concerning number. It’s important that both lawmakers and organizations don’t become complacent in this critical effort. Issues surrounding fragmentation and gray areas still exist with the GDPR, which continue to create a variety of problems. GDPR, and data privacy protections more broadly, should be a living, breathing initiative, being consistently updated to reflect changes in end user needs, evolutions in regulatory requirements, and more.

Organizations that develop applications, in particular, must ensure they’re aligning with the GDPR requirements. The articles relating to this (25, 32, 33, 34, and 35) reaffirm the steps needed when securing data flowing through applications, in addition to what needs to be done in the event of a data breach. For those looking to remain compliant, we suggest they first follow the ‘privacy/security by design’ rule – ensuring data security and privacy are considered during the planning stage of any product or solution, as opposed to during development – to safeguard data from attackers by default. For existing operations, organizations need to work to discover any weak points in how data flow is processed and handled by performing gap analysis to find what works and what needs to be worked on or removed. Finally, organizations should make a habit of ‘spring cleaning’ to remove any data that is no longer needed. Only by following these critical steps, can they hope to position themselves in the most agile and resilient way to avoid hefty fines, and more importantly, protect data privacy.” 

Neil Thacker, EMEA CISO, Netskope

“On the 3rd anniversary since the General Data Protection Regulation (GDPR) came into effect, we recognize the continued problem of the use of unmanaged cloud applications and services whilst adhering to the regulation. One of the most underestimated compliance challenges that organizations face under the GDPR is the fact that many – if not most – personal data records, for which the organization is legally responsible, are processed using cloud applications and services not traditionally owned or made visible to the IT or the security team. Also, unstructured personal data is created by the workforce – often unsupervised – using productivity or collaboration applications. This data is pervasive across mobile devices and shared with others through unmanaged applications and cloud storage locations, which are outside the organization’s direct control. The pandemic-fueled explosion of data in 2020 and a Work-From-Anywhere (WFA) trend involving Bring Your Own Device (BYOD) usage has only exacerbated this problem.

Nevertheless, under the GDPR regulation, it is always the organization’s legal responsibility to protect such data from loss, alteration, or unauthorized processing, even if workers use cloud services that are not pre-approved or controlled by the organization. This means that organizations must know which personal data records are processed by users of cloud services; identify the cloud applications used by the organization’s workforce; prevent personal data from being stored or processed in unmanaged cloud services, and continue to protect personal data when stored or processed in cloud services.

Failure to manage non-approved cloud services may leave the organization at serious risk, from both a legal perspective and from a business continuity and reputational perspective. CIOs and CISOs must therefore pay close attention to this issue and implement measures to bring such cloud services under the visibility and control of the organization. Trusted frameworks and platforms, such as Secure Access Service Edge (SASE), help not only to future-proof an organization’s cloud strategy but do so with security, privacy, and compliance with regulations, such as the GDPR, at the forefront.”

Just because GDPR has been in effect for three years, doesn’t mean your organization should let up on maintaining compliance. Your business needs to be aware of the rules and regulations, and how strictly they are enforced, in order to be compliant, as GDPR fines are still in effect for organizations that don’t comply. Consider the above commentary and think about reevaluating your data protection policy in order to stay updated and remain compliant.

Tess Hanna
Follow Tess