GDPR: The First Two Years and Future Challenges

The date of May 25 2018 will surely be viewed as a watershed moment when the time comes for historians to analyze the rise of digital technology and, consequently, the privacy and availability of data. It was of course the birth of the General Data Protection Regulation (GDPR), legislation introduced primarily to unify data protection rules across EU member states as well as enhance individuals’ privacy and data rights.

Two years on, this momentous piece of legislation continues to be a very influential topic across all industries. Nevertheless, it is fair to say the regulation got off to a rather inauspicious start following its roll out. “There were a lot of companies that were very ill prepared,” noted Paul Edon, senior director, technical sales and service at Tripwire.

Lack of Preparedness

Whether this was due to complacency on the part of organizations following years of limited regulatory enforcement on existing data protection rule, or lack of understanding of the new law, is a matter of debate.

Whilst leaving work such as identifying data and contacting people on their systems to the final few months before the law became active undoubtedly played a part in this lack of readiness for some companies, possibly a bigger issue was the extent of poor advice being given to firms. Brian Honan, CEO of BH Consulting, commented: “My concern is that in the rush to be ready for the GDPR before 2018, and indeed since, many companies have engaged with individuals or organizations which haven’t given them proper advice with regards to their requirements.”

It has also proved to be no simple task for a lot of businesses to make themselves GDPR-compliant, often requiring the manual sifting through and consolidation of data built up over many years, and sometimes located on different systems. This is before matters like contacting customer/subscriber bases with privacy notices are even considered.

“Many companies have engaged with individuals or organizations which haven’t given them proper advice with regards to their requirements”

Early Light Touch Approach

It was partly for this reason that so few fines were handed out during the first year of GDPR, according to Edon; indeed, of the €55.96m in fines issued by the end of the first year, €50m came in a single case, against Google. “The initial response of the Information Commissioner's Office (ICO) and other authorities across Europe was a light touch, so probably for the first six to eight months it was trying to educate when they found organizations were either non-compliant or had a breach,” he observed.

This lenient approach was also a product of the ICO and other relevant regulators themselves becoming used to the new legislation. Jonathan Armstrong, Partner at Cordery, said: “It was unrealistic to think that we were going to get 1000 big fines in the first year because when you’re looking at things like data breaches, they take a while to investigate, and regulators have got to get the first few big fines right; if they don’t, they’ll be appealed.”

There was, however, a noticeably more hard-line approach taken by regulators in the second year of the GDPR, with substantial fines given (but not necessarily settled) to major organizations across Europe such as internet service provider (ISP)Marriot and British Airways (BA) for various data breaches and instances of non-compliance.

Effectiveness So Far

When accessing how well the GDPR has fared so far, it is worth a re-emphasizing the primary purpose of the legislation: to enhance the privacy and data rights of individual citizens, and it is upon that standard that much of the judgement should be considered.

In terms of improving people’s understanding of issues surrounding privacy and their individual rights, it has certainly had a major impact. Edon outlined: “The public have a much better understanding of what their rights are and how they can go about protecting their own data. They’ve realized they are actually responsible for their own data, and that they can take action that will help them feel more comfortable.”

Having a more educated public has also translated into greater levels of scepticism when it comes to the use of data by governments and public authorities, potentially helping prevent nefarious or even totalitarian uses. This can be observed in efforts made by authorities to develop COVID-19 tracking apps in response to the current pandemic. Calls for safeguards in the way such data is used, and how long for, have been extensive. “We see much more nuanced and open debate when it comes to government initiatives and what they want to do with regards to new systems or ways of managing and using people’s personal data,” noted Honan.

“The public have a much better understanding of what their rights are and how they can go about protecting their own data”

Increased Emphasis on Cybersecurity

The GDPR is also improving cybersecurity practices of organizations, even though this is not the primary objective of the legislation. With the prospect of enormous fines for data breaches – up to €20m or 4% of annual global turnover – businesses have got far more serious about securing their systems. Honan said: “We’re seeing many organizations using their obligations under the GDPR as a reason to ensure systems are upgraded to the latest operating systems and that the appropriate investments are given to cybersecurity controls and also into user awareness.”

Another significant impact of the GDPR is its worldwide influence, becoming a catalyst for much more stringent and wide-ranging data protection laws to protect individuals globally.

Tim Mackey, principal security strategist at the Synopsys CyRC, commented: “At present we’re seeing the GDPR influencing global legislation and not the reverse. The California Consumer Protection Act (CCPA), New York Shield Act and Brazil’s General Data Protection Law are all examples of legislation or proposed legislation following the principles created by the GDPR.”

Future Challenges

Despite these clear positives, there remains substantial challenges that need to be taken on by both regulators and organizations. The first is very simple – achieving a reduction in the number of breaches that occur. Whilst many organizations are starting to invest more in cybersecurity systems, there is still much room for improvement.

According to Edon, there needs to be a focus on intensive training at a micro level in organizations, taking a preventative approach. “Even now, most breaches are a result of negligence,” he said. “There is still a massive gap in the knowledge of general workers. You have a small team in each company that knows all about the GDPR, but unfortunately they’re not the people that handle the data. The people that handle the data on a daily basis have very little or no training. What we need is much more interactive training, and it shouldn’t be once a year, it should be ongoing consistent training.”

“Some countries are bringing lots of cases and some are concentrating on one or two big investigations”

Furthermore, the over-reporting of minor breaches by businesses, whilst on the face of it not appearing to be the worst problem in the world, has served to overload authorities like the ICO and thereby delay more important investigations. This issue is, to some degree, understandable, with businesses erring on the side of caution due to the potential of a large fine for failure to properly report a data breach. However, solutions are needed to ensure the work of regulators is not hampered.

“Companies need to ensure they have an appropriate methodology that they can use to identify what the threshold is for when they should report a breach and then report a breach subsequent to that,” said Honan.

Another glaring issue has been the lack of consistency in the actions of different enforcement agencies across Europe. Armstrong said: “Some countries are bringing lots of cases and some are concentrating on one or two big investigations. I think we’ve started to see a division between the many small fines in places like Spain and Romania, and the few large fines in other countries.”

Clearly there is a need for greater harmony between enforcement agencies in order to improve this situation, but this is easier said than done.

“There needs to be closer co-operation in some of these cases,” outlined Edon. “The fact the case takes place in France, for example, doesn’t mean other authorities can’t have an input. By having four or five different state authorities having some kind of communication across these cases, you will find that the fines would start to level out.”

Brexit and GDPR

The issue of Brexit has been a constant presence during the lifespan of the GDPR, with the UK voting to leave the EU shortly after the GDPR was passed in June 2016. Although the regulatory regime is being matched in the UK’s Data Protection Act 2018, and therefore will continue to apply in some form to UK companies, there remain a number of issues to be resolved before the end of the transition period in December 2020, including ensuring data transfers continue over the long-term.

Showing flexibility and holding a sense of co-operation, particularly in light of the current COVID-19 crisis, is what is required in Armstrong’s view: “I hope the ICO acknowledges businesses have had to do their Brexit preparations at the same time of responding to the COVID-19 pandemic and are slightly forgiving if anyone is behind on their Brexit programs.”

COVID-19 and GDPR

Finally, a topic that cannot be ignored when it comes to the GDPR, as with so many other areas of life, is the current COVID-19 crisis. In addition to adding to cybersecurity concerns, the unprecedented sudden growth of people working from home also poses extra challenges for companies  regarding data protection. “As many organizations are not used to working with remote workers, they probably didn’t have the architecture in place that allowed for easy access to the systems, which would suggest that the only way they could work from home would be to have localized copies of the information they need access to,” explained Edon.

In consideration of the difficulties many businesses are facing as a result of the global pandemic, the ICO has stated that it will be more lenient in its regulatory action at the current time.

Conclusion

Considering the complex and wide-ranging nature of the GDPR, it is unthinkable that there would be no glitches or challenges in the early years of its life. Organizations and regulators appear to be learning over time, and it is hoped that this gradually improves data protection practices, serving to reduce breaches and ultimately, enhance the privacy of individuals. “With two years of investigations and appeals, we’re gaining clarity on how businesses approach the topic of data protection and the complexities involved when data rights are defined based on residency,” outlined Mackey. How this translates going forward will be intriguing to see.

However, arguably the GDPR’s biggest legacy to date has been to grow awareness of privacy issues and rights amongst the general population, which is vital in an increasingly digitalized world, where nefarious uses of data and cybercrime are growing menaces.

What’s Hot on Infosecurity Magazine?