The effect of GDPR two years on
Today marks the second anniversary of the introduction of the EU's General Data Protection Regulation (GDPR).
With privacy in the spotlight at the moment due to COVID-19 tracing apps, we got the views of some industry experts on the effect that GDPR has had on our individual privacy and on the way businesses handle data.
"While it's the second anniversary of GDPR, being GDPR-compliant isn't about a point in time," says Steve Grewal CTO of data management firm Cohesity. "Compliance is an on-going process that requires organizations to take the utmost care in managing and protecting personal data. This means minimizing data volumes, reducing data fragmentation, and -- absent standardized policies in the US across all 50 states on personal data and privacy -- taking a proactive approach to ensure data is secure and protected. In 2020, it’s imperative that organizations are good stewards of customer data. Failing to make compliance a key part of an overall data management strategy can severely damage trust and erode brand reputations."
Grewal also believes any erosion of privacy due to tracing apps will be temporary, "Just as individuals were asked to trade privacy to access social networks, individuals are being asked to consider a lower level of personal privacy while being under lockdown, as governments are exploring the use of tracing apps to track the spread of the virus. Though Europe's laws are strict, exemptions for public-health crises are written into EU data protection rules. Any use of data must be proportionate and fall away once the crisis has passed."
Matt Lock, technical director UK at data security firm Varonis says:
Many companies took the GDPR seriously and made great progress ramping up their data protection measures. Reports that the ICO isn’t taking forward any cases and delaying current ones sends the message that regulators have pressed pause for the time being.
There isn't time to lose -- the public needs to know safeguards will remain firmly in place and that companies that stray from GDPR requirements will be held accountable. Especially at this time when personal data is being shared and processed in efforts to manage the pandemic. It may be tempting to bend the rules now, but industry and regulators can’t turn the clock back.
It's reasonable to expect some lag time as regulators and companies re-assess their priorities during the COVID crisis. Ignoring data protection in the short term only opens the door to long term issues.
The pandemic forced companies to get their teams up and running remotely. In the rush to remote work, many organisations eased access and normal safeguards to ensure everything could remain business-as-usual. In doing so, they widened the attack surface. No doubt, there are companies that have been compromised and simply don’t know it yet. In the weeks and months ahead, expect to see a slew of disclosures to the ICO.
Bob Swanson, security research consultant at SOAR company Swimlane believes GDPR enforcement has yet to fully bite, "When we look at the introduction of GDPR everyone was focused on proposed fines. But have the actual fines issued lived up to that? No they have not. How you institute change is through collaboration and accountability, specifically among the largest most influential organizations. Take Google for example. Of the millions in fines issued in 2019, the majority of those were issued to Google. However when you compare Google's 2019 issuance of $57 million in fines to annual revenue, some would say this fine more closely resembles a slap on the wrist, versus a mechanism to institute change among the tech giants. These types of organizations will be the ones to truly influence the adoption, adaptation and staying power of such legislation."
Others though think GDPR has been a success. Grant Geyer, chief product officer of operational technology platform Claroty believes, "Just as important as the principles the regulation stands for, the European Union’s global enforcement of blatant and wilful violations of the rights of European citizens to have their personal data safeguarded has raised its prominence to the gold standard of data protection regulations worldwide. In today's global economy, GDPR has swiftly created a replicable regulatory blueprint that represents a win for citizens to maintain ownership over their personal data. That's a sacred right in a digital economy where for many years personal data has been abused and monetised without awareness, consent, or recourse."
"It is clear GDPR has so far been a success," says Paul Breitbarth, director, EU policy and strategy at privacy management company TrustArc. "Companies around the world have become much more aware of the importance of privacy compliance, updating their approach to how their customers’ data is collected, used and safeguarded."
However, he adds a caveat, "Two years of experience have also shown more work is needed to understand the nitty-gritty detail of complying with GDPR. Data protection authorities will have to develop further guidelines with practical examples, but also release the reports of any enforcement action -- ideally in English -- so companies anywhere in the world can learn from what has gone wrong."
It's clear from this range of views that, while GDPR has been largely successful in improving the focus on data privacy, there's still more work for businesses and regulators to do.