It’s hard to believe we’ve almost reached the one-year anniversary of the date the General Data Protection Regulation (GDPR) went into effect. Leading up to that May 25, 2018 date, news headlines were dominated by fear, uncertainty and doubt over whether organizations would successfully comply in time.
Over the past year, we saw an endless stream of stories about companies getting slapped with fines for violating various regulations within GDPR. In fact, a recent report by DLA Piper found that there’s been almost 60,000 breaches reported over the past year and more than 90 fines imposed.
While GDPR has certainly raised a number of legitimate security and compliance concerns for organizations around the world doing business with EU citizens, it has also pushed them to improve data privacy efforts and strengthen their overall risk posture. And, with its one-year anniversary in sight, there’s no better time to shift the GDPR storyline from a tale of non-compliance, to one of security prowess.
In this light, here are three ways I believe U.S. organizations have greatly benefited from GDPR.
1. GDPR has prompted organizations to improve their incident response strategies
GDPR requires organizations to report a breach to the supervisory authority within 72 hours of discovery. And “reporting” the breach goes well beyond simply notifying authorities that it happened. Organizations must also include breach details, such as the nature of the breach, the approximate number of data subjects and personal data records affected, the possible consequences of the breach, and measures taken or proposed to address the breach.
Without an incident response plan and automated data collection and analysis technology, it’s nearly impossible for any company to meet this 72-hour deadline, which is why we’re seeing organizations take a hard look at their operational readiness to react to a breach.
Following this internal assessment, many companies are modernizing their incident response capabilities by doing things such as documenting an incident response plan, hiring a data protection officer, defining team members’ roles and responsibilities, deploying automated data collection and analysis technology, and implementing data protection impact assessments.
A strong incident response program is not only critical to meet GDPR’s 72-hour breach notification deadline, but it’s also instrumental in limiting the damage of an attack – which, in today’s cybersecurity landscape, can be just as valuable as preventing a breach in the first place.
2. GDPR has forced organizations to take internet of things (IoT) security more seriously
IoT has exploded the attack surface, making visibility into all connected endpoints across all computing environments a major challenge for many IT departments. This isn’t something to take lightly, as IoT visibility is central to GDPR compliance (and also security) – after all, you can’t protect the unknown.
To leverage IoT without introducing unnecessary risk, may organizations are turning to network visibility technology that enables them to gain an accurate understanding of the state of their network infrastructure, including endpoints and IP addresses on the network, how they’re moving, potential leak paths, anomalous traffic, etc. Armed with this knowledge, they can then protect IoT devices and data as specified by GDPR, while identifying potential threats in near real-time.
3. GDPR has better prepared organizations for U.S. data privacy regulations
California is paving the way for additional U.S. data privacy legislation with its Consumer Privacy Act. Whether at a state or federal level, new U.S. privacy laws are coming, and companies that already adhere to GDPR will be ahead of the game when these regulations are enacted. Hopefully this means we can avoid the barrage of fear, uncertainty and doubt around whether companies will meet new compliance deadlines and instead focus on how U.S. companies are exhibiting greater control over personal data.
GDPR’s next chapter
We’ve seen a number of GDPR storylines play out over the past year, but I hope the next chapter is focused on how the regulation is helping companies around the world take user privacy more seriously and strengthen their risk posture.
GDPR provides a strong security and compliance framework, so, as companies continue to become more GDPR savvy, it stands to reason that their security and compliance programs will continue to become more effective at reducing risk. And hopefully then, we’ll see the number of reported breaches as well as the number of fines imposed for GDPR violations decrease significantly.