A year after the introduction of the General Data Protection Regulation in the European Union on May 25, 2018, the protection and privacy controls of personal data remain hot-button issues. Social networks such as Facebook, Instagram, YouTube, Twitter and scores of e-commerce businesses have felt the heat to upgrade the way they process, store and analyze personal data, which they all use to make money.
More regulations are coming: California’s Consumer Protection Act of 2018 goes into effect Jan. 1, 2020, and several other U.S. states are expected to follow suit next year. CCPA makes nationwide organizations protect California residents’ personal data, and subsequent laws will do the same for other jurisdictions.
In the eyes of many people, those online businesses still haven’t done enough to tighten security, enable more opt-in choices and assuage the fears of users who rely on their services to buy things, connect with friends and family, and post videos of their vacations. They simply don’t trust that these networks will protect their personal information from hackers and from other retailers who want in on all that user data.
A year later—despite the fact that all of these businesses ostensibly have had their users re-read and re-select their preferences about how they want these networks to handle their data—there’s still a lot of work to do for everyone involved. Consumers are not exempt from this responsibility; estimates are that less than 1 percent of them actually read the fine legalese print whenever one joins a social network or agrees to an online transaction.
Survey Shows a Lot More Awareness Is Needed
In recognition of GDPR’s first anniversary, nCipher Security conducted a survey to gauge American awareness of and sentiment about data privacy and security laws and issues. The results point to a healthy distrust among Americans about data sharing, and it offers a look at how Americans view data privacy responsibility and what they know about data protection regulations.
A key metric from the survey data indicated that protecting personal information has become of paramount importance for many Americans. More than half (52%) of Americans said data privacy is important to them. Forty-one percent said protecting their personal information is their top concern. Thirty-two percent said safeguarding their personal data is as important to them as their own physical protection.
There’s a healthy amount of distrust among Americans about how organizations are using their personal information. Sixty-four percent said they don’t believe organizations are completely transparent with how they use their customers’ personal data. Almost half (49%) said they don’t trust companies to keep their private data secure. That may explain why 44% said they don’t want to share their personal data under any circumstances.
eWEEK also collected perspectives from a number of IT thought leaders on the GDPR, one year out. Here they are.
Cindy Provin, CEO, nCipher Security:
“Government mandates such as GDPR and the CCPA, which are fundamentally designed to discourage the misuse of data, give consumers the reassurances they want. There’s an unprecedented awareness of the importance of data security, with business customers and consumers alike demanding trust, integrity and control when it comes to how companies manage their data. The best defense is a proactive one, and the right mix of data security tools and internal education provides a firm foundation. Encryption, digital signing and key generation are critical components of any data security strategy, as properly encrypted data is useless to hackers even if a breach does occur.”
Raj Rajamani, VP of Products, Cohesity:
"While some organizations may feel they have done enough to meet GDPR requirements, many are still finding it difficult to keep data safe and to meet GDPR policies because of a critical challenge called mass data fragmentation. With mass data fragmentation, enterprise data is siloed and copies of the same data are spread across any number of locations on-premises and in the cloud. Organizations often have no idea what data they have and what personal information is stored in those copies. In fact, in a recent global survey, 91 percent of respondents said they were concerned about the level of visibility that the IT team has into secondary data across all sites.”
Alan Conboy, Office of the CTO, Scale Computing:
“With the one-year anniversary of GDPR, the regulation has made an impact in data protection around the world this century. One year later with the high standards from GDPR, organizations are still actively working to manage and maintain data compliance, ensuring it’s made private and protected to comply with the regulation. With the fast pace of technology innovation, one way IT professionals have been meeting compliance is by designing solutions with data security in mind. Employing IT infrastructure that is stable and secure, with data simplicity and ease-of-use is vital for maintaining GDPR compliance now and in the future.”
Samantha Humphries, Senior Product Marketing Manager, Exabeam:
"With the GDPR still very much in its infancy, many organizations are still getting to grips with exactly how to meet its requirements. The fundamentals remain true: know what personal data you have, know why you have it, limit access to a need-to-know basis, keep it safe, only keep it as long as you need it, and be transparent about what you’re going to do with it. The devil is in the detail, so keeping a close watch on developments from the EDPB will help provide clarity as the regulation continues to mature.”
Rod Harrison, CTO, Nexsan, a StorCentric Company:
“Any EU customers can request that companies delete all of the data that is held about them, permanently. The difficulty here lies in being able to comprehensively trace all of it, and this has given the storage industry an opportunity to expand its scope of influence within an IT infrastructure. Archive storage can not only support secure data storage in accordance with GDPR, but also enable businesses to accurately identify all of the data about a customer, allowing it to be quickly removed from all records. And when, not if, your business suffers a data breach, you can rest assured that customers who have asked you to delete data won’t suddenly discover that it has been compromised.”
Alex Fielding, iCEO and Founder, Ripcord:
“My advice to anyone struggling to achieve and maintain GDPR compliance is to develop and implement a full compliance program, beginning with digitizing and cataloguing your customer data. When you unlock the data stored within your paper records, you set your company up for compliance success.”
Wendy Foote, Senior Contracts Manager, WhiteHat Security:
“If GDPR can be implemented to protect all of the EU, could the CCPA be indicative of the potential for a cohesive US federal privacy law? This idea has strong bipartisan congressional support, and several large companies have come out in favor of it. There are draft bills in circulation, and with a new class of representatives recently sworn into Congress and the CCPA effectively putting a deadline on the debate, there may finally be a national resolution to the US consumer data privacy problem. However, the likelihood of it passing in 2019 is slim.”
Scott Parker, Director of Product Marketing, Sinequa:
“Organizations perceiving the regulation as an opportunity versus a cost burden have experienced the greatest gains. For those who continue to struggle with GDPR compliance, we recommend looking at technologies that offer an automated approach for processing and sorting large volumes of content and data intelligently. This alleviates the cognitive burden on knowledge workers, allowing them to focus on more productive work, and ensures that the information they are using is contextual and directly aligned with their goals and the tasks at hand.”
Caroline Seymour, VP of Product Marketing, Zerto:
“Despite the gravity of these regulations and their mutually agreed-upon need, many companies may remain in a compliance ‘no man’s land’– not fully confident in their compliance status. And as the number of consequential data breaches continue to climb globally, it is increasingly critical that companies meet GDPR requirements. My advice to those impacted companies still operating in a gray area is to ensure that their businesses are IT resilient by building an overall compliance program. By developing and implementing a full compliance program with IT resilience at its core, companies can leverage backup via continuous data protection, making their data easily searchable over time and ultimately, preventing lasting damage from any data breach that may occur.”
Matt VanderZwaag, Director of Product Development, U.S. Signal:
“Moving to an infrastructure provided by a managed service provider with expertise is one solution, not only for maintaining GDPR compliance, but also implementing future data protection compliance standards that are likely to emerge. Service providers can ensure organizations are remaining compliant, in addition to offering advice and education to ensure your business has the skills to manage and maintain future regulations.”
Lex Boost, CEO, Leaseweb USA:
“From a hosting perspective, managing cloud infrastructures, particularly hybrid ones, can be challenging, especially when striving to meet compliance regulations. It is important to find a team of professionals who can guide how you manage your data and still stay within the law. Establishing the best solution does not have to be a task left solely to the IT team. Hosting providers can help provide knowledge and guidance to help you manage your data in a world shaped by increasingly stringent data protection legislation.”
Neil Barton, CTO, WhereScape:
“Whether your organization is currently impacted by the GDPR or not, now’s the time to prepare for future legislation that will undoubtedly spread worldwide given data privacy concerns. It’s a huge task to get your data house in order, but automation can lessen the burden. Data infrastructure automation software can help companies be ready for compliance by ensuring all data is easily identifiable, explainable and ready for extraction if needed. Using automation to easily discover data areas of concern, tag them and track data lineage throughout your environment provides organizations with greater visibility and a faster ability to act. In the event of an audit or a request to remove an individual’s data, automation software can provide the ready capabilities needed.”
Nathan Turajski, Security Operations and Data Security lead at Micro Focus:
"Tips for making GDPR work for you:
- "Start with data discovery and classification to assess risk and focus on what's most important-you can't proceed further without this clear visibility into what matters most.
- "Understand that you can't protect everything, nor should you-critical data such as PII must be protected, while data hygiene and other retention policies can help lower risk and optimize IT as a side-effect of proper data governance.
- "Apply the most appropriate protection to meet the use case. Data-centric security, such as format-preserving encryption, can protect data in use while leaving it open to analytics or similar applications, while link encryption is fundamental to data mobility; multi-layered security lowers risk, but usability need not be compromised on the road to privacy compliance.
- "Approach GDPR and beyond as a journey. Implement a consistent and reliable framework to address privacy controls across the entire information lifecycle, from the point that data is created or ingested into the organization to its eventual retirement. In that way, you can reduce gaps in security that expose risks, as well as be ready for the road ahead as new data types and new rules come into effect, over time making privacy an inherent part of your IT infrastructure strategy as well as preparing data for the value creation opportunities ahead with greater confidence."
Peter Waters, Vice-President of Legal at Equinix EMEA:
"So how has GDPR changed the data privacy world as we know it?
- "The most important after-effect of GDPR has been raised awareness. In getting ready for GDPR, and maintaining that position, organizations have been doing their own risk assessment and analysis and recognizing that the reputational and financial risks are just too great. Data privacy has been a core theme for many big tech giants, and those who work closely with them, and they have publicly committed to making significant product roadmap updates which keep data privacy as a core focus area.
- "Data privacy is no longer a B2C issue. As end users ask more questions about how their personal data is being used throughout the supply chain, B2B enterprises are identifying the solutions that suit their business and understand the implications of implementing or foregoing various data privacy measures.
- "Awareness has also resulted in new legislative debates and policies that are in the works. The California privacy law is a great example of that. For businesses committed to data privacy, this is a positive step but can also be challenging in terms of implementation. Lack of standardization among all geographical regulations can be extremely complicated to navigate for global companies distributed across multiple markets. If we think about the U.S., a more centralized federal approach to data privacy laws would be extremely beneficial for companies.
"While the GDPR regulations have been a good start, there is work to be done on data privacy compliance, getting it right can help foster better relationships with customers and end users recognizing that your priority is meeting the highest possible safety standards when handling their personal data."