In the year since it went into effect, the European Union's General Data Protection Regulation (GDPR) has heightened awareness of data privacy issues and driven some important changes in how US companies handle consumer data. However, most organizations appear to be a long way off from implementing GDPR's core requirement for a privacy-by-design model for data protection, security experts say.
"As we wrap the first year of GDPR, most businesses progressed on accountability," says Jean-Michel Franco, a GDPR and data privacy specialist at Talend.
Many organizations have set up or refreshed their legal framework for data privacy, improved defenses against data breaches, and begun managing user consent more rigorously.
"But significant gaps toward compliance are generally still to be addressed," Franco says. Chief among them is the challenge many organizations face in capturing and reconciling all the data they have about their customers and employees and implementing the rights to data access and other rights available to consumers under GDPR, he says.
A Sweeping Mandate
GDPR went into effect May 25, 2018. The statute is designed to ensure that organizations handling private data on EU residents take proper measures to protect that data against misuse. It provides for administrative penalties of up to 4% of an organization's annual revenue or up to 20 million euros ($22.4 million) for infringements.
The law requires covered entities to minimize data collection, get explicit permission for collecting data, and explain to consumers in unambiguous language why they are collecting the data, how they will use it, and with whom they might share it. Organizations have up to 72 hours, in most cases, to report a data breach affecting consumer data to the appropriate data authority in their country.
GDPR gives consumers considerable control over how organizations that collect their data go on to use it. Among other things, the statute gives consumers the right to ask organizations for a copy of all their data and to request corrections to the data. Importantly, it also requires businesses to ensure that any personal information that they collect on individuals is portable so that it can be easily transferred to another entity if a consumer requests it. A right-to-be-forgotten clause allows users to ask companies that have their personal data to erase it.
One year after the law went into effect, most of the changes that US companies handling EU data have made to comply with it have been the relatively easy ones. The harder, more meaningful changes needed to implement privacy by design and privacy by default remain a long way off, security experts say.
"Besides the complaints filed against the obvious suspects like Google, Facebook, and Instagram, we've definitely seen a number of changes to how companies ensure data privacy," says Dov Goldman, director of risk and compliance at Panorays. Many organizations have updated their privacy policies, implemented consent for pop-ups, and made available tools for more user control over their data.
Scratching the Surface
"That being said, these enhancements have primarily been limited surface treatments and much less of the extensive 'privacy by design' envisioned by the regulators," Goldman says.
One big change that GDPR has fostered is that it has forced companies to widen the definition of personal data that needs to be protected according to the International Association of Privacy Professionals (IAPP).
US state laws have varying definitions of what constitutes personally identifiable information from a breach disclosure standpoint. An individual's date of birth alone, for instance, is often not considered private data. It is only when that data is leaked in combination with an individual's first and last name or last initial that the data is considered personally identifiable — and that, too, not in all states.
Data elements regulated under GDPR include postal address, email address, racial and ethnic information, religious belief, sexual orientation, and criminal records, the IAPP said in a recent blog post. "US privacy professionals working for compliance with the GDPR are having to broaden the scope of their privacy programs to account for this wide definition of personal information," the IAPP said.
Heightened Focus on Data Protection
GDPR has elevated data privacy and protection to a boardroom-level discussion at organizations covered by the statute. The statute's requirements for prompt breach disclosure and the hefty penalties it imposes on infringing companies has pushed companies into paying closer attention to what data they already have, where that data resides, and how and why they are collecting more data.
"GDPR has brought executive-level focus to cyber-risk, including risk posed by third-party data processors," says Jake Olcott, a vice president at BitSight. For many organizations, GDPR is forcing a greater focus on gaining real-time visibility into the data-handling practices of outsourcers and other third parties with whom they share data, Olcott says.
GDPR has also prompted a lot of breach disclosures. An infographic that the European Commission (EC) published in February showed that around 41,500 data breaches were reported to data privacy authorities after GDPR went into effect last May. Global law firm DLA Piper assessed the number to be a much higher 59,000 data breaches, based on its own research.
The EC said that between May 25, 2018, and the end of January this year, data privacy authorities had received as many as 95,100 complaints under GDPR from individuals across EU member nations. The EC said it had enforced the rules on cross-border companies — such as social media platforms — a total of 255 times since GDPR went into effect.
The biggest fine under GDPR through the end of January 2019 was one assessed against Google for 50 million euros ($56 million) for failing to get consent from users before displaying ads. The two other instances where the EC assessed a GDPR-related fine (at the end of January 2019) was against a German social network operator for 20,000 euros and one against an Austrian cafe for 5,280 euros for unlawful video surveillance.
Daniel Barber, co-founder and CEO at DataGrail, a privacy management platform, says GDPR has spurred calls for similar mandates in other parts of the world, including the US, where as many as 10 states are considering privacy reforms. "It is undeniable that GDPR has been a catalyst and has served as a template for a worldwide wave of impending privacy regulation," Barber says.
Even California's Consumer Privacy Act (CCPA) — which becomes effective early next year — has similarities to GDPR, although it was motivated by very different reasons, Barber notes. For instance, both statutes provide for increased data control and transparency for consumers. However, CCPA, which was spawned in the wake of the Facebook/Cambridge Analytica data-sharing scandal, also includes other requirements around how organizations share consumer data, he notes.
Hard Work Ahead
For all the attention that GDPR has focused on data privacy, most organizations are nowhere near close to having data architectures that integrate privacy by design or privacy by default.
For example, despite GDPR's right-to-be-forgotten clause, many companies continue to amass data that is no longer needed, a survey by Varonis found earlier this year.
The security vendor discovered that, on average, a stunning 72% of the folders — representing over 50% of a company's data — is stale. Ninety-five percent of the companies in the Varonis survey had 100,000 or more files with stale data in them on employees and customers, heightening risk of noncompliance with GDPR's right-to-be-forgotten clause, among other things.
Most companies have also made progress in terms of getting more user consent, says Pankaj Parekh, chief product and strategy officer at SecurityFirst. They continue to struggle with more fundamental GDPR requirements for processing of personal data and for ensuring security of that processing.
Organizations need a scalable way to ensure that data is handled according to an individual's wishes and only for the purpose for which the data was collected and only for the time needed to complete the specific function for which it was collected, Parekh says. "One of the biggest problem areas from an operational point of view has been to understand and prove that protected data is always protected," he notes. That means knowing where the data is, understanding how critical the data is, and tracking it as it moves through the enterprise, Parekh says.
The GDPR requirement that organizations only use third-party processors that can provide sufficient guarantees about their data protection measures is another thorny area, as is the need for them to maintain a record of their own processing activities, adds Panorays' Goldman.
"Few companies have dealt effectively with some of the thorniest issues, including the accountability demanded by the regulation with regard to third-party data processors and the requirement for notification to the supervisory authority within 72 hours of a breach being discovered," he says.
There are other issues are well. Most companies covered under the mandate are unable to provide individuals with access to their personal data as required under GDPR. A survey that Talend conducted found that 70% of companies were unable to provide access to personal data despite claiming to offer such access in their privacy notices, Franco says.
Organizations also have to do deal with the cost and manpower implications of GDPR compliance. Most companies are spending at least six figures on technology and consulting services, and 25% are spending $1 million or more on compliance, Barber from DataGrail says. In addition, there are the human costs. "Most companies assigned dozens of employees to dozens of meetings while getting ready for GDPR," Barber says, referring to a recent survey that DataGrail conducted. "Privacy management decision-makers frequently spent at least 80 hours personally preparing for GDPR." The DataGrail survey showed that companies also had to deal with hundreds of privacy rights requests, spanning dozens of business systems and third-party services.
Much of the work to achieve and to sustain compliance with GDPR requires companies to better understand in what business systems regulated data resides, and update internal procedures when systems are added or collect additional data, says Barber. "Much of the other work to ensure sustained compliance requires companies to better understand in what business systems regulated data resides and update internal procedures when systems are added or collect additional data."
The EU's relatively light enforcement of GDPR may be encouraging some organizations to hold off on major changes. Besides the $56 million fine on Google, all of the other penalties combined so far have been less than 400,000 euros, Goldman says.
One likely reason could be that GDPR enforcement is local, meaning that data regulators from each EU member state are responsible for oversight and enforcement in their country. With the exception of the UK Information Commissioner's Office with its 500 employees, most other data regulators generally have been understaffed and therefore unable to enforce the statute more vigorously.
"If this trend continues, it will mean that companies won't work towards GDPR compliance because they will believe that it won't be enforced," Goldman says. But given the sweeping privacy trends and concerns, it is unlikely regulators will let that happen, he says.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.