What Have We Learned in the Past Year?

By Terence Jackson, CISO at Thycotic

GDPR went into enforcement almost one year ago on May 25, 2018.  What have we learned in the past year? What fines have we seen? Did it make a difference?

May 25, 2018, was similar in mindset and action to January 1, 2000. We all thought the world was going to end as we knew it. It did not. What we have learned over the past year is that not much has changed. GDPR was beneficial in that it gave individuals greater control over the use of their personal data, but has that made them any safer overall? According to a February survey released by DLA Piper, 59,430 breaches were reported in the first 8 months of the regulation with only 91 fines. The largest being attributed to Google by the French Data Protection Authority. Aside from the large financial losses, it seems like a lot of work for not very much reward. This also tells us that the majority of companies are not being fined for mishandling data.

Has this really been the magic bullet European regulators had hoped for? It may be too early to tell, but it has forced companies globally to rethink how they collect, process and share data. Inadvertently, it has also stretched the human and financial capital of many smaller organizations that didn’t have dedicated staff to implement proper GDPR policies and documentation. One of the largest beneficiaries of the regulation has been legal experts who were retained to help companies navigate the vague language of the regulation.

As the CISO of a global company, I have also felt the impact. From consulting with legal counsel, training IT staff on how to respond to deletion requests and having conversations with all of our vendors in regard to their GDPR posture, it has definitely added cycles to our already busy day to day schedules. But we live in a digital world and the one thing that hackers are after in any attack that is of value is data, whether it’s exfiltration or ransomware, malicious insiders or a nation-state. It’s all about the data and we have to do better.

The benefits of GDPR have definitely been in favor of the consumer. Eleven states excluding California have introduced similar legislation and Congress has also introduced multiple data privacy bills such as The Social Medial Privacy and Consumer Rights Act of 2019. I don’t have a crystal ball, but I can pretty confidently predict that GDPR paved the way for an onslaught of new laws and regulations to govern data privacy and in the aftermath of all of the Facebook lapses, it’s clear that we are at a tipping point. Recently, the Georgia Supreme Court ruled that the state has no obligation to protect personal information. This ruling is a glaring example of the need for Federal laws that will govern data privacy and protection statutes for consumers and will likely usher in a new wave of legislation.

I have summarized below what I see the immediate pros and cons have been in regard to GDPR:

Pros:

  1. Increased data privacy and security
  2. More transparency on how companies collect, use and share data
  3. States such as California (CCPA) are using the regulation to draft their own data privacy laws which are a win for the consumer.

Cons:

  1. The vagueness of the regulation requires companies to hire expensive lawyers and
  2. The huge amount of breach notices has overburdened Data Protection Authorities
  3. Larger companies had to hire/appoint Data Protection Officer

What will the next year bring? I can confidently predict more breaches, more fines, and more paperwork.

About the Author

Terence Jackson, CISO, Thycotic: With more than 17 years of public and private sector IT and Security experience, Terence is responsible for protecting the company’s information assets. In his role, he currently leads a corporate-wide information risk management program. He identifies, evaluates and reports on information security practices, controls, and risks in order to comply with regulatory requirements and to align with the risk posture of the enterprise.  Prior to joining Thycotic, Terence was the Director of Cybersecurity and Professional Services for TSI, a Virginia based Inc. 5000 company. He has also worked as a Senior Security Consultant for Clango, Inc., a top Identity and Access Management (IAM) consultancy. He was featured in and was a contributor to the book “Tribe of Hackers.” He can be reached at https://www.linkedin.com/in/terencejackson and at Thycotic’s site https://thycotic.com.