mixmagic - stock.adobe.com
Industry reflects on three years of GDPR
Looking back on 12 tumultuous months, we assess how GDPR has weathered the effects of the Covid-19 pandemic and Brexit, and consider what the coming year may hold for data protection
In the past year, it would be eminently fair to say that the focus of the cyber security industry has not necessarily been on compliance with the General Data Protection Regulation (GDPR). Rather, with a surge in threats, and a great many significant and impactful cyber attacks, it is easy to see why attention fell elsewhere.
But GDPR keeps on keeping on, and as it reaches its third anniversary on 25 May, data protection experts are once again assessing the impact of the wide-reaching regulations.
Rob Elliss, Thales VP of data security for EMEA, said many people are still questioning whether or not the legislation has been effective, but on the whole, pronounced himself pleased with the overall position.
“What is clear is that some businesses that have been justifiably caught out are being hit with big fines, arguably putting those ‘teeth’ questions to bed,” he said. “On top of that, GDPR has been a driver for innovation by improving businesses’ cyber security posture through data visibility and protection, as well as standardising process across the EU digital market.
“It’s a legislation that allowed for customer-centric cyber security to emerge in the dialogue for protecting privacy rights in the digital era – and one that’s inspiring the rest of the world, notably the US.
“However, when GDPR was first drafted, the legislation did not necessarily account for the adoption of new technologies and rapid migration to the cloud brought on by the pandemic. In this remote working era, businesses needed to digitally transform almost overnight just to keep the lights on without necessarily incorporating security in the design of new systems and processes.”
In the UK, 2020-21 was notable in GDPR news for the temporary relaxation of investigations and fines by the Information Commissioner’s Office (ICO), a mitigation measure taken in the light of the pandemic, but one that may have had a knock-on effect in terms of overall compliance, at least according to Oliver Cronk, chief IT architect at Tanium.
“Since the [ICO] announcement was made, it’s highly possible that GDPR compliance has become less of a focus for some organisations,” he said. “When you combine this with the fact that many organisations have had their attention drawn to other priorities during the pandemic, I believe some oversights could happen which will incur large GDPR fines over the next year or two.”
A further effect of the pandemic has been the proliferation of new data types, much of it relating to public health – such as Covid-19 test results, antibody tests and, lately, vaccination status. IntSight’s chief compliance officer, Chris Strand, said: “The risk of that data being used erroneously, exposed, or exploited, could trigger further refinement of the enforcement mechanisms used to measure and enforce penalties for violations of data use under the GDPR.”
Brexit at last? UK remains in limbo
For readers in the UK, the past 12 months have brought further change with the ending of the transition period at the stroke of midnight on 1 January marking the UK’s final departure from the EU.
To recap, although the UK has secured an adequacy ruling to maintain the security of data moving across the new border with the EU-27, a review decision on this ruling is expected within the next month.
But the ongoing pandemic has to some extent masked some of the full effects of Brexit – and many others may not be felt for months or years to come – and the true impact on GDPR is no exception to this, said Elizabeth Schweyen, Druva’s senior manager of global privacy and compliance.
“The UK finds itself in a period of transition post-Brexit where they’ve been in a holding pattern waiting to see which transfer mechanisms will be put in place and exactly how businesses should alter their practices in response,” she said. “However, it is clear that regardless of what exact measure is enacted, data privacy will continue to remain a key focus.
“UK GDPR and EU GDPR are very similar, so there is a chance that data transfers won’t be affected. It is also possible that new fines imposed by regulators will highlight exactly how they are interpreting GDPR laws moving forward. This is why businesses will need to be prepared for any changes they may need to implement, in advance of clear guidance from EU or UK policymakers.
“Regardless of what is to come, it is safe to say businesses need to keep on top of the recommendations and information being shared by data protection authorities. With the UK, as well as separate states in the US, drafting varying privacy regulations, there is an ever-growing volume of laws and guidelines that businesses will be expected to follow and comply with in the coming years.”
The next 12 months
As the world begins to emerge from the pandemic, Tanium’s Cronk advises organisations to take advantage of the next few months to reassess how they are operating to ensure that the new processes and ways of working adopted during the past year are fully compliant in the “new normal”.
“To correctly follow the guidelines, enterprises should work with their DPOs to provide support for the whole organisation,” he said, “particularly when new operating models and processes have had to be introduced overnight in many cases.
“Examples of these changes are sectors such as hospitality, which are now collecting more personal information from customers than ever due to new pandemic-related processes, and it’s easy to fall into the trap of not clearly declaring what the data is being used for, how it’s being processed and how long it will be kept. Organisations need to make sure compliance for post-pandemic processes aren’t overlooked or they may be in for nasty surprises, such as fines, in the future.”
Thales’ Elliss added: “Organisations must be aware of the compliance implications of any remote working policies they put in place. DPOs have a huge role to play in ensuring their companies understand these regulations and where they need to adapt. Otherwise, we could see GDPR catching more law-abiding companies through simple mistakes, rather than its true remit of finding companies that are intentionally putting customer data at risk.”
Such a situation was aptly highlighted in the recent fall-out from the Schrems II ruling on Privacy Shield, potentially creating issues for those that have stuck by the law. Elliss said: “With GDPR leading the way and the US following suit, understanding compliance has never been more important.”
Read more about GDPR
- The EU Cloud Code of Conduct, which aims to help IT buyers source GDPR-compliant cloud services, has found favour with the European Data Protection Board.
- The 90% reduction in the fine levied on BA over a 2018 data breach has legal experts talking about the ramifications for the future of data protection.