Happy Birthday GDPR: A Party Without Cake Is Just a Meeting

On Friday, May 25th, 2018, I was presenting on the topic of General Data Protection Regulation (GDPR) at a conference in Bangkok, so to mark the occasion I decided the best course of action would be to have a GDPR cake delivered. On checking social media, it transpired that there was plenty of other folks who had the same idea. I make no apologies for considering some sort of GDPR cake smash event, which seems to be a thing now for first birthday celebrations. That said, I feel very strongly about wasted cake, so I quickly decided against it. So here we are, one year down the line, with GDPR celebrating its first birthday. Time for more (unsmashed) cake? Of course! It’s been an interesting first year for sure, but as GDPR is the biggest change to data privacy legislation in a generation, it has not totally been plain sailing and it is still early days…

Now you are one!

Doesn’t time fly when you’re having regulatory fun? I say this, clearly, with my tongue pushed firmly into my cheek. Preparing for the GDPR was far from an enjoyable experience for sure, but it does seem that this year has passed incredibly quickly. During the run-up to May 25th, 2018, commentary varied from Y2K bug comparisons to frenzied obsession over the maximum fines and everything in between. There was much FUD (especially from vendors promising magic bullets), there was much confusion, and there was much work to be done for the majority of organizations around the world. Preparations took over many peoples’ lives, it was hard work trying to decipher legalese, and as the date approached there was a large degree of crossing fingers and hoping that the definition of readiness was going to be enough.

Not too dissimilar a situation to being a first-time parent… and there are some parallels to be drawn between a 365-day old human and regulation itself.

GDPR is still finding its feet

The European Data Protection Board (EDPB) (also celebrating their first birthday on May 25th—I have no doubt that there will be cake) are the descendants of Working Party 29 and are tasked with providing clarity on some of the vagueness that constitutes GDPR. This is very much still an ongoing process. The EDPB website is brimming with guidance (hooray!), in addition to details of public consultations where they are seeking the “views and concerns of all interested stakeholders and citizens”. Which means you can help shape the world of GDPR. This collaborative approach may be surprising to some folks outside of the EU, yet this has often been the method of determining new regulations.

GDPR is creating a lot of noise

For those of us who are classed as EU data subjects, our web experience has arguably taken a turn for the worse, with some sites blocking all access to EU IP addresses, and many more websites bombarding us with multiple questions before we can get anywhere near their content. It’s highly likely that many of us are now treating website privacy controls in a similar vein to an end user licensing agreement (EULA)—keep clicking ‘I agree’ until the darn boxes go away. On the plus side, at least the barrage of emails requesting us to re-subscribe has died down. It is also rare for a week to pass without at least one major data breach hitting the newsstands, which is good from a transparency perspective, but the risk of breach fatigue has never been more real.       

GDPR has cut its teeth

Despite the Supervisory Authorities repeatedly saying that the maximum fines would be reserved for the very worst offenders, for the doomsday side of the house, the GDPR fines have, as yet, been underwhelming. When <insert data breach name here> occurred in the days leading up to the regulation coming into effect, there were certainly armchair “lawyers” determining how many millions an organization would have been fined if only GDPR was in play. That’s not to say the Supervisory Authorities haven’t been handing out fines—the total currently standing at over €55 million—in addition to a plethora of other enforcement types, plus audits, advisories, and monitoring.

GDPR has kept its parents busy

In the first nine months, over 200,000 GDPR-related cases were logged with supervisory authorities, ~65,000 of these were related to data breaches. The Information Commissioner’s Office (ICO), who is the supervisory authority for the UK, warned back in September of 2018 that there was a degree of over-reporting happening, with around a third of data breach reports to their phone lines transpiring to be unnecessary. The EDPB have released guidelines on breach notification, which not only help clarify the requirement, but also serve as a reminder that “a key element of any data security policy is being able, where possible, to prevent a breach and, where it nevertheless occurs, to react to it in a timely manner.”

GDPR will continue to mature

With the regulation still very much in its infancy, it is no surprise that many organizations are still getting to grips with exactly how to meet its requirements. The fundamentals remain true: know what personal data you have, know why you have it, limit access to a need-to-know basis, keep it safe, only keep it as long as you need it, and be transparent about what you’re going to do with it. The devil, as always, is in the detail, so it is imperative to keep a close watch on developments from the EDPB as they continue to provide clarity. It will certainly be interesting to see in a year from now how much the state of the GDPR union has moved on.

Further reading, should you wish—you may have noticed my dig at vendors promising magic bullets in the run-up to GDPR which in the interests of credibility, I do not have anything that’s even close to such a thing. What I do have for you is a great whitepaper that explains how Exabeam can help you from a security perspective—by reducing the risk of external and internal threats and speeding up your incident investigation and response capabilities. Do take a look: https://www.exabeam.com/library/adhering-gdpr-security-controls-exabeam/