GDPR one year on: where do we stand?

(Image credit: Image source: Shutterstock/Wright Studio)

After years of preparation, the General Data Protection Regulation (GDPR) finally took effect on the 25th May 2018. On that very same day, complaints against one of the world’s biggest tech companies were filed under the new data protection initiative, with Google coming under intense scrutiny for its suspected misuse of personal data. As a result of this, Google faced one of the largest GDPR penalties ever issued and was forced to pay a fine of £44m earlier this year.

However, Google isn’t alone, as just three months after the implementation of the regulation – which intended to improve data protection measures – reputable airline British Airways fell victim to a large-scale hack. During the attack, a total of 565,000 customer transactions, including payment information and other personal data, were leaked. Since the GDPR came into force, we’ve seen a variety of breaches and fines occur, ranging from large, established organisations such as Facebook, Uber and Marriott, to smaller organisations. With over 200,000 cases reported across Europe, the year since the introduction of the GDPR has shown us that no organisation using the personal data of EU citizens can avoid compliance and accountability.

Perhaps the most comprehensive data privacy standard to date, the GDPR has presented significant challenges for businesses. Organisations have become much more aware about why they are collecting customer data, as well as how it is being handled and stored. Businesses are also facing increased pressure to understand exactly how data is being protected at every point during its lifecycle, in order to assess the risks to their systems and processes. For an organisation of any size, it can be difficult to have a holistic view of data protection, especially when multiple sources and technologies are involved. However, under the GDPR, passing responsibility is not an option – especially since consumers now have the right to ask any organisation what personal information they hold on them, at any time, including having the power to ask for it to be removed from their database.

Has much changed?

Before the GDPR came into force last year, much of the focus was placed on the potential fines and penalties associated with data breaches and a lack of compliance.  The reality is that the GDPR – as well as future data protection laws – should be seen as a positive step in the right direction in the battle to prevent data misuse. These regulations are not designed to discourage the use of data, but to provide consumers with reassurance that their personal information is in safe hands. Data mandates such as the GDPR also encourage businesses to follow best practice when it comes to control and governance, two traits that cannot be overlooked in today’s modern cyber landscape. Because of that, the future of data protection means a commitment to accountability. If organisations wish to use data to gain a competitive edge, they must be prepared to take responsibility for its use and protection. It also means a commitment to transparency. Transparency in telling customers how their data is being collected and used and transparency when it comes to disclosing the scale and affected parties if a data breach does occur. After all, data is any business’s most important asset, regardless of size or sector.

The future of data protection will also require organisations to be much more aware of and educated about legal and policy developments worldwide. In the U.S., for example, more and more states are agitating for tougher privacy and data security regulation. In turn, this is forcing the U.S. Congress to consider a federal data privacy law, something that was unimaginable just a few years ago. As other data privacy mandates start to take the lead from GDPR, it’s likely we will see a ‘ripple effect’, forcing organisations to be proactive about protecting data from the onset, versus taking the usual reactive approach.

As we pass the GDPR one-year anniversary, large-scale data breaches have continued unabated with cyber criminals taking advantage of increased vulnerabilities due to the mass digitisation of data and the advent of new access points stemming from the internet of things (IoT), cloud technologies, blockchain, and digital payments. Hackers know these technologies aren’t going anywhere – after all, the benefits they can provide from a cost-savings and efficiency standpoint are tremendous – so they are focusing on new and creative ways to corrupt organisations.

This is why moving fast to capitalise on these technologies cannot come at the expense of security. In order to provide the best possible compliance and protection, organisations need to embed security into everything they do, ensuring a root of trust from the implementation of technology, to its day-to-day use. I’m encouraged by our recent Global Encryption Trends Study, in which 45 per cent of organisations reported having an overall encryption plan in place, demonstrating a dedication to protecting data.

Cindy Provin, SVP Entrust Datacard and General Manager, nCipher Security