Blog articles

One year of GDPR: What we’ve learned, and what’s next

By John Elliott

Twelve months ago, it was almost impossible to escape the online cacophony around GDPR. Whether you were an org leader, IT professional or just a consumer, it seemed every technology conference, company, blog post and tweet was talking GDPR. So did the world overhype GDPR’s impact, or is this just the calm before the storm?

What's actually happened in the last 12 months?

If you consider regulatory action (i.e. fines) as a benchmark of GDPR’s impact, then it appears the new regulation has had little effect. Law firm DLA Piper reported that just 91 penalties had been issued in the first eight months of GDPR. Of the fines that have been made public, the most eye catching is the nearly $56 million penalty imposed on Google by French regulators because of how Google used personal data for advertising.

But that hasn’t been the norm. In the first nine months of GDPR, supervisory authorities across all 28 EU countries received 94,000 complaints and reports of 64,000 data breaches—yet, again, only 91 resulted in fines. Those that were fined, though, exhibited alarming behavior by even mediocre security standards.

For example, a social network in Germany was fined $22,000 for being hacked and storing passwords without using encryption. And a Portuguese hospital received a $447,000 penalty for not managing access to clinical records properly; it was discovered that the hospital was providing 985 physician accounts with access to data, even though the hospital only employed 296 physicians.

Fines, however, are not just limited to security failings. A Polish company that “scraped” data from public sources received a $250,000 penalty for failing to respect people’s right to be informed about the processing of their data.

In the eye of the regulatory storm

In the months before May 2018, experts predicted an avalanche of penalties and fines. So why the slow start?

The fact is regulators don't operate at speed when it comes to enforcement, especially because all enforcement actions can be challenged in the courts. If you look at historical cases under the old data protection laws, it is not uncommon for the time from breach notification to fine to be over 18 months. It is also fair to say that the supervisory authorities have been overwhelmed by the work that GDPR has brought.

However, even if it doesn’t appear so on the surface, work is being done and breaches are being investigated. Many organizations have been asked to respond to regulators’ questions about data processing, and some are conducting thematic reviews across certain sectors. Regulators are also quietly in the background working with organizations to educate and change entrenched behavior.

As we move into the back half of 2019, we'll start to see more regulatory intervention in the form of fines, but also stern instructions to organizations to change the way they process data. And when the first large fines land for inappropriate security leading to breaches materialize, we’ll have passed through the calm eye of the storm and start to feel the force of regulation.

What should organizations be doing?

Given we are in the eye of the GDPR storm, now is the time to batten down the hatches if you haven’t already. It is important to maintain the good practices I hope you put in place in the run up to last May. When it comes to maintaining good practices, I see four key areas for IT professionals and leaders to concentrate:

1. Records of processing

Regulatory investigations often start with a request for an organization’s records of processing, which describe the lifecycle of personal data across all systems. Although a GDPR project may have established these records in an initial instance, regular business change makes them quickly out of date. Make sure they are kept current during change—and if you don't actually have any, now is a great time to start. Not only will you be able to better respond to a regulatory request, but your information security colleagues will stand a much better chance of securing the data if they know where it is.


2. Non-functional requirements

It's not just records of processing that become out-of-date. Whenever new systems or processes are deployed that do something with people's data, it’s really important that the GDPR non-functional requirements are taken into account, to ensure people's rights over data relating to them (and their perception of how your product is using that data) can be honored and satisfied. I recommend creating a set of non-functional requirements from GDPR and building these NFRs into new systems, which will make sure that data protection is enshrined in your business and applied to every project by design and default.


3. Security

The threat landscape changes constantly, so every organization should be able to confidently verify they’re taking the appropriate technical and organizational measures to protect personal data. If you carried out a risk assessment before May 2018, now is the time to revisit it. One important aspect to remember is that GDPR isn't just worried about a breach of confidentiality—if data is not available, and that lack of availability has an impact on the rights and freedoms of individuals, that’s also a breach of GDPR.


4. Breach response

GDPR’s requirement to inform the supervisory authority within 72 hours of becoming aware of a personal data breach means that it’s important to keep your legal team or data protection officer (DPO) closely involved in your incident management process. If you haven’t had a reportable breach in the past 12 months, make sure you conduct a table-top exercise and involve the DPO. Ensure the organization knows how to—and who to—report a data breach to.

What to expect in the next twelve months

When supervisory authorities start to ramp up enforcement and penalties, there will be lots of noise from blogs, analysts and Twitter. Trying to find actionable insights from that noise will be difficult—and is made more difficult by that fact that this coming period is uncharted territory for most companies.

I’d recommend that every three months you look at what supervisory authorities have done and ask yourself two questions:

1. Given the same circumstances, could this have happened to us?

2. And if so, how could we have prevented it?

One of the biggest benefits of asking these types of questions: They encourage open and frank communication between teams. Even cases that are not IT-specific—such as issues of how organizations chose to use data, or cases where organizations didn’t adequately respect the rights of individuals—can provide great opportunities to learn.

GDPR is a slow-burning change to how organizations process and secure data relating to people. The past 12 months have been quiet, but as supervisory authorities start to take very public regulatory actions, expect the pace to pick up.

About the author

John Elliott is a respected cyber security, payments, risk and privacy specialist. He helps organizations balance risk and regulation with business needs. He was a member of the technical working groups of the PCI Security Standards Council and actively contributed to the development of many PCI standards including PCI DSS. John is particularly interested in how organizations or regulators assess trust in the cyber security and privacy posture between relying parties. A passionate and innovative communicator, he frequently presents at conferences, online and in boardrooms