Pop the champagne! GDPR is five years old!

The General Data Protection Regulation (GDPR) turned five years old on May 25, and it has changed the way businesses think about data privacy and security. Whilst GDPR has provided plenty of benefits when it comes to improving the overall security of companies, it also brings about its own set of challenges.

As we reach the five-year anniversary of GDPR, it is the perfect time to reflect on what remains an ongoing challenge for businesses and how they can ensure protection to personal data as we see new threats arise.

Michael Covington, VP of Strategy at Jamf, outlines that there are still plenty of challenges for organizations looking to ensure compliance with GDPR.

"Learnings from the COVID-19 pandemic have raised concerns about new public health and data considerations that should be factored into future legislation", said Covington. "Additionally, the post-Brexit version of GDPR for the UK is still a work in progress, as is a firm stance on how data can be shared between EU member states and ‘partner’ countries.

"For individuals, GDPR is making a difference in how their personal data is safeguarded. And for CISOs and data protection officers, the work continues to ensure organizations achieve regulatory compliance in a way that minimizes disruption to the core business while ensuring employees, customers, and partners have confidence in how their personal data is being managed."

GDPR has obviously been a force for good in improving the cybersecurity standard, measures and overall resilience of companies. However, organizations also need to be proactive when it comes to improving their overall cybersecurity posture.

With nearly 100,000 CVEs discovered since the adoption of GDPR -- roughly half of all known CVEs to date -- Sylvain Cortes, VP of Strategy at Hackuity, believes an effective vulnerability management program has never been more essential to avoid both the costly aftermath of a cyber incident and the resulting penalties from regulators.

Cortes argues that maintaining a strong cybersecurity posture goes beyond the rudimentary tick box exercise. "It’s important to remember that achieving compliance shouldn’t be treated like ‘exam-cramming’ with last-ditch efforts to achieve annual or quarterly audits," said Cortes.

"The goal is to achieve more than the minimum requirements and move away from the tick-box mindset. GDPR compliance is necessary, but it is far from sufficient for modern organizations."

Rick Hanson, President at Delinea, also agrees that organizations need to be proactive when it comes to cybersecurity. He argues that whilst GDPR gives organizations a framework, it does not solve cyber threats.

"We have come a long way since the early days of cyber and GDPR makes a significant impact, yet it does not solve the cybersecurity threat," said Hanson. "It offers a framework that helps classify and protect, yet these policies are public, giving any attacker a roadmap on how to circumvent the policy.

"As good as GDPR policy is, it does not mean our personal data is completely secure. We must continue to educate and innovate to solve these ongoing data privacy and security challenges."

Ensuring GDPR compliance is still a major challenge for organizations, and on the fifth anniversary of the regulation’s implementation, it is only going to get tougher. In recent years, we have seen the rise of new technologies such as generative AI and biometrics, and they are changing the way we work.

Paul Brucciani, Cyber Security Advisor at WithSecure believes that internet fragmentation has created complexity when it comes to regulations and that the EU plays an important role in leading the world through this.

"AI is the next big field that will need regulating, and the EU has again made a head start on this with its proposed AI Act, a legal framework that is intended to be innovation-friendly, future-proof and resilient to disruption," said Brucciani.

Whilst these technologies can make businesses more effective and efficient, they also bring about new data security challenges. Eduardo Azanza, CEO at Veridas, said that failure to responsibly and ethically use biometrics will still result in hefty GDPR fines.

"Without question, GDPR has revolutionized data privacy and protection and now, with the introduction of biometrics, the regulation takes on even more significance as it celebrated its fifth anniversary, said Azanza. "As defined by Article 4 of GDPR, biometric data is a form of personal data -- therefore, businesses must carefully and securely manage it.

Earlier in May, Mobile World Congress (MWC) was slapped with a €200,000 fine by GDPR after they had collected biometric data from show attendees. The organizers failed to demonstrate due diligence before collecting biometric data, therefore infringing Article 35 of GDPR which deals with requirements for carrying out a data protection impact assessment (DPIA).”

On the fifth birthday of GDPR, we still have plenty of data privacy questions for technologies such as biometrics and AI. It’s important that we have data privacy laws, like GDPR, which protect our fundamental rights. As commented by Azanza, in order to be fully trusted, companies need to ensure that new technologies comply with the regulations and standards set.

"Trust in biometric solutions must be based on transparency and compliance with legal, technical, and ethical standards. Only by doing this, can we successfully transition to a world of biometrics that protects our fundamental right to data privacy," concluded Azanza.

Photo credit: Kesu/Shutterstock

Robin Campbell-Burt is CEO at Code Red.