GDPR One Year Later – Cybersecurity Industry Comments

With the upcoming 1-year anniversary of GDPR, here are collected insights from 13 industry experts: 

Experts Comments:  

Colin Bastable, CEO at Lucy Security:

“From a channel perspective, GDPR has created a whole new class of consultancy, with a significant stream of revenue, not just in the USA but globally. This is because the legislation has real teeth, is sufficiently vague to allow for multiple interpretations and applies to anyone doing business with the EU. Most US organizations now know that GDPR exists and ask for advice and training, so GDPR is now a common term, like PCI and HIPAA. 

Has it changed in how companies do business in the U.S. and how has it affected consumers? From the rampant abuse of consumer data privacy and the ongoing tsunami of phishing-led data theft in the USA, one would conclude “not a lot.” 

GDPR is seen as an EU thing here in the USA. Legislatively, The USA works very differently to the EU. In the EU, the unelected Commission “proposes” regulations which are handed down to the subject countries (like Moses receiving the tablets) after “debate”. Most privacy regulation in the USA is driven from the States, as it is easier to get legislation passed at State level, and eventually laws percolate upwards to DC. The ineptitude of FaceBook, Google, Equifax and others, combined with the current 2020 election cycle, where politicians see an opportunity to raise funds or create platforms, has had more impact on the drive for consumer protection than GDPR. 

Data leaks still happen, databases are unencrypted, passwords unchanged, so GDPR is an incremental development with little immediate impact on the actual problem of cyber insecurity. Some businesses, however, are starting to seriously audit their data and reduce their exposure. Most businesses still assume that someone else will be hit, and that hackers don’t know or care about them. We know how that ends.”   

Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi:

“For security professionals, on a day-to-day basis, GDPR brought few changes. Large organizations were already engaged in many GDPR requirements, and most of the changes have been procedural for smaller organizations. The biggest impact of GDPR has been not in European capitals, but in Washington, Palo Alto, Sydney and beyond. Privacy is now a popular topic with both politicians and technology CEOs, this is a credit this to the rise of GDPR.   

Organizations are seeing demands for greater privacy, which means the use of machine identities – like TLS digital certificates – is on the rise. Machine identities create encrypted and private communication, but the increase has stressed some organizations, leading to unplanned outages. There will be longer term the challenges as well. Cloud, AI and DevOps usage is exploding, which means were seeing more applications and data collected in places that are decentralized and easier to hide. We must make sure user data is not forgotten.   

As expected, enforcement has started slowly and without any debilitating fines. But, this can change, especially for non-European businesses. GDPR is creating debate and political action well beyond European Union states. This trend shows no sign of changing for the next few years.”   

Jonathan Deveaux, Head of Enterprise Data Protection at comforte AG: 

What is the impact of GDPR on the U.S. one year after it came into force? One way to answer this question is to look at the type of company or organization who have or maintain personal info.  The US Healthcare industry was less impacted by the GDPR because most of the patients in their care are based in the US. For other organizations who have an international presence, especially in Europe, they were most likely already doing something about data privacy, since there were existing regulations in Europe for some time.    

GDPR ‘raised the bar’ of consciousness for data privacy with many US companies, as it required them to take a closer look at their data, how they are using it and where it is. With the threat of such large fines for non-compliance and the example of Google paying a fine of over $56 million, companies in the US are starting to realize that managing personal data from customers requires a deeper effort than before.  Customers were initially affected when they accessed websites, as a pop-up window describing the privacy policy is something that almost all websites show customers initially.   

GDPR put privacy controls in the hands of the consumer, rather than in the hands of a business or government.  As a result, GDPR has become the blueprint for many other privacy laws coming out in the US, which took those principals and built laws around protecting consumer privacy in their state. The California Consumer Privacy Act (CCPA) is a prime example. There is even talk now of the possibility of a Federal Data Privacy Law in the works.   

It has forced the legal and security departments within companies to work more closely together. If you take a look at many companies in the US, five years ago, many companies didn’t even have a CISO. And then when the CISO role became prominent, the main factor was what level of acceptable risk is the company – the Board of Directors – willing to accept.  Now, with the introduction of the GDPR, the question includes a legal aspect.”   

Tom Garrubba, Senior Director and CISO at The Santa Fe Group:

“GDPR is not much on the minds of risk leaders today. The common theme is this: if you’re a mature organization then you’ve most likely took the time and built privacy “by design” into your risk structure, that is; you’ve found the right people, developed appropriate privacy processes, procedures, linkages, and you’re able to track all points of your customer data internally and externally. Conversely, this causes headaches for many of these companies as they are now afraid of sharing any customer data externally and even internally.   

However, there are some organizations who either have done nothing, done very little, or are still taking their time to be in compliance to GDPR. The primary reason for this: these organizations have yet to see any fines associated with a privacy breach (in other words; where’s the proverbial ‘stick’?). Until they see actual fines being levied upon “like” organizations, they’re not going to spend the time and effort to comply to GDPR.”   

Dov Goldman, Director of Risk & Compliance at Panorays: 

“Besides the complaints filed against the obvious suspects like Google, Facebook and Instagram, we’ve definitely seen a number of changes to how companies ensure data privacy. These changes include consents for pop-ups, updated privacy policies and more tools enabling user control. That being said, these changes have primarily been limited surface treatment, and much less of the extensive “privacy by design” envisioned by the regulators.   

Many companies have gone through the first phase of assessing their GDPR compliance; they’ve undergone a gap assessment. Where needed, some have performed a DPIA or “Data Protection Impact Assessment,” a more detailed review of the technical and organizational capabilities to ensure privacy for customers or employees. These efforts have led firms to update privacy policies and implement tools to enable user control over their personal data.   

Few companies, however, have dealt effectively with some of the thorniest issues, including the accountability demanded by the regulation (articles 28 and 30) with regard to third-party data processors.   

My predictions for “Year 2 of GDPR” are one,  the number of staff at Data Protection Commissions in EU member states has grown significantly; therefore, we can expect greater enforcement as a result. Two, growing consumer awareness will mean that the market will begin to demand privacy by design, and people will ultimately shift their business to companies that respect their privacy. High-profile enforcement and big fines against large, well-heeled tech companies may be exciting news, but an educated and demanding consumer may ultimately prove to be the most significant impact of GDPR.   

As Data Protection Officers dig in, they will become more aware of the risk their third-party data processors expose them to. In a world where outsourcing is growing by leaps and bounds, third-party data processors may very well represent the lion’s share of any company’s privacy risk. For this reason, managing third-party security will become even more of a priority for businesses.”   

Mike Jordan, Senior Director at The Shared Assessments Program:  

“GDPR was a wake-up call far beyond Europe as companies in the US needed to consider a lot of questions they hadn’t before. When I was at a US-based global manufacturing firm, first it seemed like no big deal since we had few European business units. But once we started poking around, we realized it needed very thoughtful consideration. Discussions quickly developed beyond just talk of compliance. Enterprise strategy had to be refined around Privacy, shifting consumer perceptions, and even considerations about doing business in Europe at all. Those impactful discussions came from a regulation that otherwise affected our company relatively little. 

This same regulation also set a de facto standard for Privacy well beyond its scope. By making the decision to comply with GDPR, organizations made the decision to model their programs around the strictest Privacy requirements around, and this certainly moved the needle in improving Privacy practices.   

Given the massive impact of GDPR, members of our third party risk management association use a toolkit to help them manage the GDPR requirements of their third parties. The free toolkit helped many organizations get compliant, and also helped them hone their processes for managing Privacy risk in general. Because GDPR is the most stringent set of Privacy requirements, the GDPR Privacy Tools became suitable for far more than just GDPR-related work. Nearly any third party privacy due diligence requirements can be addressed using the tools, including assessing Private Health Information and Consumer Privacy controls. We are working on expanding requirement checklists into other areas like the California Consumer Privacy Act (CCPA) as well, which owes much of its existence to GDPR’s impact.” 

Willy Leichter, VP at Virsec:

“In many ways, the leadup to the GDPR going live last year felt like Y2K – a global scramble to get ready, causing lots of uncertainty. But when the ball dropped, it seemed like nothing happened, and little enforcement has been apparent. But given the slow, deliberate pace of EU bureaucracy, after the first year, we’re probably just getting started. Enforcement actions by European data privacy authorities prior to the GDPR averaged over 330 days, so it seems likely that some big wake-up-call penalties are on their way.   

The other tangible effect of the GDPR has been on prompting other countries and states to consider enacting similar regulations. California (which enacted the first breach notification law more than 15 years ago) has already passed a consumer data privacy act modeled after the GDPR, and other states and the US government are likely to follow to varying degrees.”   

Pankaj Parekh, Chief Product and Strategy Officer at SecurityFirst:

“In the last 12 months, almost every enterprise customer we visited was motivated by a GDPR compliance discussion. While it seems that big enterprises have put some GDPR compliance practices in place and are protecting part of their data, midsize companies are now asking similar questions. Also, the big companies who have initially deployed some security solutions for GDPR compliance are asking questions about continuous data protection and security that follows the protected data.   

Most companies have made progress as far as check-box consent (as long as they are not pre-checked boxes), but the areas they are struggling with the most are the requirements for the “processing of personal data” and the “security of processing”. They must understand how personal data is processed and implement the security measures to make sure data is secure and monitored at all times. And they must handle their customers’ wishes: only process data as authorized by the user, with access based upon processing role or function, only for the purpose the data was collected and only for the time needed per function or upon the user’s delete/forget request. While GDPR is seen as a privacy law, you truly cannot have privacy without data security.   

Compliance and enforcement of GDPR are just getting started. Companies haven’t yet understood the full extent of GDPR. Also implementation of “right to forget” has not been thought through thoroughly in the enterprise yet.   

GDPR has great influence on almost every privacy law. Some are more strict in their reach and enforcement than others like CCPA. As GDPR enforcement starts to trickle down to small to mid-size businesses, the automation and scale requirements will change as well along the way.  Not only has GDPR had impact on privacy laws, but it is also starting to impact other parallel standards body organizations, like creating draft proposals for protecting the data integrity and privacy through the supply chain.”   

Laurence Pitt, Security Strategy Director at Juniper Networks:

“The biggest difference since the introduction of GDPR is that data is now part of every conversation. Understanding what data is being captured, stored and processed is often a business priority and one that is shared through the business, from the IT team setting up policies and security measures to retail workers needing to get permission from customers signing up for loyalty cards. The GDPR has made the world sit up and listen, as other countries have started to implement their own versions (Brazil, Singapore, Australia, Philippines, even the U.S.). While the GDPR is still the only regulation to be implemented with a global reach that will very likely change in the coming years.   

We also know that many business are not 100% compliant and are working hard on this. Across the board, I have seen a willingness for enterprises to discuss their journey to GDPR compliance as well as share information on successes and challenges, which is a very positive development in our industry. Ultimately, we’re going to see more data breaches in the coming year, some targeted against very visible data-holding organizations, so it’s now more important than ever for businesses to be ready to respond for when, not if, they’re attacked.”   

Paul Russert, VP at SecurityFirst:

“The biggest operational impact has probably been the requirement in Article 5 for “data minimization”, as it forces companies to figure out what data they already have, why it was collected and if it is still needed. In what seems to be a honeymoon period, the data protection authorities in the EU seem to be more focused on companies making corrections to comply going forward and assessing smaller fines rather than set a grand example by levying large fines at the defined maximum levels of €20,000 or 4% of revenue.   

The California Consumer Protection Act was accelerated due to the highly publicized misuse of personal information by Cambridge Analytica more so than GDPR. CCPA focused mainly on the online collection and management of consumer personal data for business applications. Where you see more of an influence of GDPR is in the Brazil General Data protection regulation and proposed legislation in countries that do a lot of trade with the EU, (including the US which already has the Privacy Shield in place) to help meet the GDPR’s “suitable level of data protection on the basis of an adequacy decision” and make data transfer easier with EU countries.”   

Ryan Tully, VP of Product Strategy at STEALTHbits Technologies:

“One year later and the ripples of the GDPR are being felt globally – perhaps nowhere more so than the United States. The GDPR is a clear influencer of the California Consumer Privacy Act due to launch in 2020, with more regulations being discussed across the country. 

One area that the GDPR advocated was “Privacy by Design”. Suddenly organizations had to shift to ensure data was protected in multiple layers or else risk real repercussions from the breach or loss of data. While not all organizations are there yet, the concept of controlling and securing data is more ubiquitous than ever before. Granting the ability to request all collected personal data or to have it purged is a massive shift of power to the consumer. 

While data breaches still remain a common topic in the news, the impacts of the GDPR and subsequent domestic regulations that come as a result of those should truly give people transparency and control over their personal information, one regulation at a time.”   

Christian Vezina, Chief Information Security Officer at OneSpan:

“Over the past few years we have seen an increase in vendor oversight regulatory requirements. This is partly due to the number of data breaches and security incidents involving third party service providers. Organizations have implemented more comprehensive vendor due diligence programs. Regulations such as the GDPR have put even stricter due diligence requirements on organizations, especially around vendors’ ability to meet applicable privacy compliance obligations. Privacy is starting to be an important part of standard vendor assessment processes. Service organizations having a higher level of privacy maturity will benefit from a shortened sales cycle, as they will be in a position not only to demonstrate their compliance, but to assist their customers in meeting their own compliance obligations.   

The heavy fines that can be imposed by Data Protection Authorities under the GDPR are meant to be dissuasive. Organizations are taking note that the regulators mean business. Data breaches happen, but how organizations react, and how fast they notify their DPA, will directly impact the fines, if any, they will be imposed upon them. Organizations will not want to be hit with additional penalties for missing the 72 hours reporting deadline. Although there may not actually be more data breaches, more breaches are more likely to be reported.”   

George Wrenn, CEO at CyberSaint Security: 

“Starting a year ago and even before during its development, the General Data Protection Regulation forced organizations both within the EU and abroad to consider the impacts of data privacy and protection – both positive and negative. Bringing these concerns to light created a movement fostered by EU citizens, in partnership with regulatory bodies, as well as the private sector. It has been a true collaboration in the right direction and its effects have overflowed into other regulations in non-EU regions such as the US’s California and others.   

Firstly, the GDPR has fundamentally changed the way that we as businesses bring solutions to market. Maintaining the integrity of our data protection and privacy program means that we cannot simply bombard databases with unsolicited information anymore, we have to thoughtfully curate a message, value proposition, and outreach that is both authentic and thoughtful, with the recipient’s desires and preferences in mind, in order to have them opt in to receiving information from us. Secondly, maintaining this integrity means that we have to prioritize the security and privacy of the consumer as our number one concern. This is long overdue as the number of data breaches is quickly increasing year over year, and there needs to be a standard set of best practices to both maintain our businesses reputation and keep consumers safe – two ideas that are fundamentally entwined. Although some businesses may consider the GDPR requirements to be a difficult change, I believe that transparency, personalization and security and privacy should have been the foundation of organization’s go to market strategies long before the GDPR. This regulation raises the bar for how we as businesses treat the modern consumer. 

The GDPR has certainly spurred more conversation in the United States around data privacy and protection. The NIST Privacy Framework has grown a massive following and is highly anticipated in part I would argue because of the GDPR movement. California has instantiated privacy laws, and many other states are planning on following suit. Data privacy and protection has become a federal and state issue in the US and only continues to grow momentum.    

I believe that this regulation’s development is an interesting example of collaboration much like the NIST Cybersecurity Framework’s development, which my team and I had a part in as well. It was a good example of public, private, and citizen partnership, and there was momentum growing from all three segments, for a variety of reasons, that seemed to foster communication and collaboration that I hope continues when developing new regulations like the GDPR.” 

Jake Olcott, VP of Government Affairs at BitSight: 

GDPR has brought executive-level focus to cyber risk, including risk posed by third party “data processors.” Given the vast amount of outsourcing, gaining real-time insight into the cybersecurity and data handling practices of these data processors – which can sometimes number in the hundreds or thousands – presents the greatest challenge that companies will be dealing with today and in the future.  

GDPR may be positively contributing to measurable improvements in the security posture of European companies. BitSight continuously collects cybersecurity performance data on over 180,000 companies across the globe. This massive data set — well over 150 billion events collected on a daily basis — includes infections, machine compromises, and vulnerabilities resident within organisationsBitSight compiles data from these organisations to create continental security insights. 

Since GDPR was adopted last year, BitSight has observed security performance improvement among European organisations. This steady performance is in contrast to the security performance of organisations in other continents, where performance is significantly lower – and in some  cases, has actually declined over the year. Since 1st May 2018, European organisation security performance improved 1.8% over the year, while cybersecurity performance across other continents has generally worsened. Africa (-1.3%), the Middle East (-0.7%), North America (-0.4%), and Oceania (-3%) all worsened over the year, while Asia (0.4%) improved slightly. Only South America improved more significantly (2.4%).

Of note, European organisations have done a far better job than their international peers in implementing stronger controls to reduce Internet exposed services (open ports). As of 1st May 2019, European effectiveness in securing open ports was nearly 100 points higher (672) than the next continent, Oceania (588), and 108 points higher than North America (564).