Two years on from GDPR – what can we learn?
It was recently reported that GDPR has led to over 160,000 breach notifications across Europe, and it’s estimated to have generated 114 million euros in fines since it was introduced. But in the time since its implementation, what has the regulation achieved? How has it affected businesses? Should this news be a wake-up call to business leaders that more needs to be done to combat the ongoing and ever-worsening effects of data breaches? To understand the full implications of GDPR, we need to look back over its progression.
GDPR was implemented approximately twenty months ago, but has it really had the impact it intended? The purpose of GDPR was to standardise and modernise data protection laws, across EU countries, to protect the personal information of individuals.
In March last year, almost a year into the policy, expert commentators suggested that the first year “should be considered a transition year”, as regulators spent significant time and effort finalising rules and approaches, as well as tying up loose ends from previous regulation. This aside, with regards to breach notifications, the laws could be considered successful. Across Europe, nearly 60,000 breaches were reported in the first eight months of GDPR, a “massive increase” according to Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner’s Office. However, the implementation of the fines has taken longer to come into play.
Throughout the first nine months of GDPR, the total penalties added up to almost 56 million euros, according to a report from the European Data Protection Board. However, this is caveated by the fact that a single 50 million euro fine, against Google in January, accounts for nearly 90% of the sum.
Would imposing the fines on a stricter basis lead to businesses taking more responsibility for cybersecurity? Quite possibly! Implementation of GDPR has certainly raised awareness of cybercrime, both within the public domain and amongst industry, however, there’s no question that we all should be doing more to protect our data.
When the regulation was implemented in 2018, it was suggested that GDPR required a “state of the art” approach to ensuring the “ongoing confidentiality, integrity, availability and resilience of processing systems and services”. While many IT leaders initially interpreted this to mean that they should focus on providing industry best practices and frameworks, the large number and severity of breaches suggests that this approach is not sufficient. For example, an offensive security strategy might be more effective.
Given the continued discrepancies between cyber-skills supply and demand, it’s no surprise that organisations are consistently outsourcing their security services in order to effectively configure, manage and automate their endpoint security. Third parties can provide key alerts on patching, ensure security is always properly configured, and deliver risk and impact-assessed change management. This reduces the productivity drain on an organisation’s workforce, as well as reducing the chances of bearing heavy GDPR fines in addition to the costs of whatever damage a potential breach causes.
So, to recap, what have we learned? In many ways, GDPR is positively impacting the world of cybersecurity. It’s raising awareness of the issues around data breaches and making businesses take responsibility for something that they can protect themselves against. In many cases, security budgets are being increased, and data protection officers are being appointed.
However, there is clearly more to be done. For example, even in September last year, a report from the Capgemini Research Institute suggested that less than a third (28%) of companies polled considered themselves GDPR compliant. It’s evident that becoming GDPR compliant is a process that will need to be continuously worked on. It’s not merely a box-ticking exercise, and despite being almost two years down the line from implementation, the process is still ongoing. Based on these figures, it seems there is a long way to go before most companies are GDPR compliant. Nonetheless, as companies come to terms with the requirements of GDPR, proactivity to become compliant may well be the catalyst and the first step on the road to achieving their cybersecurity goals.
If you’re interested in learning more about the security services that Orange Cyberdefense can provide, please don’t hesitate to get in touch here.