Happy Fifth Birthday GDPR!

By Robin Campbell-Burt, CEO at Code Red

On Thursday 25^th May, it’s the fifth anniversary of GDPR, and it’s safe to say the EU regulation has changed the world. Companies storing the personal data of EU citizens now must have a framework to both ethically and securely store and manage the information held on file.

Since its implementation in 2018, countries around the world have adopted their own version. In 2018, the State of California implemented the Californian Consumer Privacy Act (CCPA) and even after leaving the EU, the UK adopted the Data Protection Act. 

Data privacy is on the mind of every organisation around the world, and the challenges of GDPR compliance are still just as present today as they were five years ago. So, with that mind, ahead of the fifth anniversary of GDPR, we asked some cybersecurity experts what their thoughts were on GDPR.

Rick Hanson, President at Delinea:

“I’ve been in the cyber community since the mid-90s, and one consistency over the years is that personal data has always been paramount. However, even though the industry often understood what needed to be done to protect personal data, it was frequently deemed to be too costly or complex to implement. 

Five years ago, I applauded the EU for taking a stand and providing guidelines and a framework to ensure that personal data and privacy were protected with GDPR. Yet even as this legislation passed and privacy advocates celebrated, many businesses were very concerned due to perceived burdensome and costly efforts that would be required of them to be compliant. Looking back on this anniversary, I am very encouraged that the technology community has innovated and evolved to solve many of these issues and challenges quickly. My belief is that it sets a solid foundation that the rest of the world can follow as we continuously work to protect our personal data and privacy.

 
We have come a long way since the early days of cyber and GDPR makes a significant impact, yet it does not solve the cybersecurity threat. It offers a framework that helps classify and protect, yet these policies are public, giving any attacker a roadmap on how to circumvent the policy. As good as GDPR policy is, it does not mean our personal data is completely secure. We must continue to educate and innovate to solve these ongoing data privacy and security challenges.”

Sylvain Cortes, VP of Strategy at Hackuity:

“Compliance is essential, but we urge organisations to take the opportunity to think beyond baseline requirements to develop a culture of continuous cyber improvement. It’s important to remember that achieving compliance shouldn’t be treated like ‘exam-cramming’ with last-ditch efforts to achieve annual or quarterly audits.

The goal is to achieve more than the minimum requirements and move away from the tick-box mindset. GDPR compliance is necessary, but it is far from sufficient for modern organisations.” 

Michael Covington, VP of Strategy at Jamf:

“The EU’s GDPR has had a tremendous impact on how organisations around the globe handle personal user data since the regulation went into effect five years ago. The threat of substantial fines — including the almost €3 billion that have been levied since the regulation went into effect — have forced companies to take privacy and security more seriously. And the impact is not just contained within Europe; GDPR has inspired over 100 other regional privacy standards, including those in many of the individual US states.

Of course, with a regulation as complex as GDPR, there’s still work to do, both for the governing bodies and the organisations that must achieve compliance. Learnings from the COVID-19 pandemic have raised concerns about new public health and data considerations that should be factored into future legislation. Additionally, the post-Brexit version of GDPR for the UK is still a work in progress, as is a firm stance on how data can be shared between EU member states and “partner” countries.

For individuals, GDPR is making a difference in how their personal data is safeguarded. And for CISOs and data protection officers, the work continues to ensure organisations achieve regulatory compliance in a way that minimises disruption to the core business while ensuring employees, customers, and partners have confidence in how their personal data is being managed."

Wade Ellery, Field Chief Technology Officer at Radiant Logic:

"This year, the anniversary of GDPR serves as a stark reminder of what is to come. Since its introduction, companies have faced more than €359 million in major GDPR fines. As recently as this week, we saw the social media giant Meta was handed a $1.3 billion fine for violating GDPR, specifically for the way the company is storing and transferring data between countries. This will only continue as we will anticipate new data protection frameworks in the US, UK, and someday globally. With that, we advise organizations to avoid inevitable problems like these by taking the time now to implement and use safe data management practices.

Additionally, for this year specifically, we must keep in mind the rate of digital evolution and transformation we are currently in. For digital transformation initiatives such as AI to be fully adequate for daily use, they must rely on clean and organized data to make the right decisions. Data remains at the heart of everything we rely on in the technology world, and AI is only as good as the data it relies on. Identity data, of all the different segments of collected data, must be treated as sensitively and carefully as our own human bodies. In order for AI to be used by large enterprises, it must be fully equipped with the right sets of data needed to make intelligent decisions. Having old or unnecessary employee or workforce identity data not only limits the ability of AI but puts the organization holding the data at a huge risk of fines and breaches."

Eduardo Azanza, CEO at Veridas:

“Without question, GDPR has revolutionised data privacy and protection and now, with the introduction of biometrics, the regulation takes on even more significance as it celebrated its fifth anniversary. As defined by Article 4 of GDPR, biometric data is a form of personal data – therefore, businesses must carefully and securely manage it.

Earlier in May, Mobile World Congress (MWC) was slapped with a €200,000 fine by GDPR after they had collected biometric data from show attendees. The organisers failed to demonstrate due diligence before collecting biometric data, therefore infringing Article 35 of GDPR which deals with requirements for carrying out a data protection impact assessment (DPIA).

With the rise of biometrics and AI, the focus on data protection and privacy has never been more important. Questions should be asked of biometric companies to ensure they are following GDPR laws and are transparent in how data is stored and accessed.

Trust in biometric solutions must be based on transparency and compliance with legal, technical, and ethical standards. Only by doing this, can we successfully transition to a world of biometrics that protects our fundamental right to data privacy.”

Paul Brucciani, Cyber Security Advisor at WithSecure:

“The European Commission is criticised for many things, but GDPR is the one thing where it can hold its head up high and say, 'We've led the world in this'. As regulatory milestones go, it’s the equivalent of climbing Everest. And it seems to be working as other jurisdictions are following suit.

Internet fragmentation, driven by the quest for digital power, is creating regulatory complexity, and the EU has an important role in leading the world through this. For example, AI is the next big field that will need regulating, and the EU has again made a head start on this with its proposed AI Act, a legal framework that is intended to be innovation-friendly, future-proof and resilient to disruption."