Member Article

GDPR three years on: How businesses can continue navigating data and privacy

Since its inception three years ago, the General Data Protection Regulation (GDPR) has changed the way that businesses see information sharing and privacy. In many cases, the legislation has armed companies with helpful tools to protect themselves and their customers against data exploitation. However, there is still work to be done to ensure that businesses are giving consumers ample opportunity to understand how their information is being collected and used.

As we continue to navigate working and living digitally, it is now more important than ever for companies to transform the way they share, collect, and utilise data. Below are some insights from industry experts on how the future of data, privacy, and GDPR compliance will be impacted in a post-pandemic world.

Hamish Brocklebank, Head of YouGov Safe “Data is arguably one of the most valuable forms of currency today. However, unlike other forms of currency, we’re still working out how access to data is ethically governed, controlled and valued.

“The GDPR legislation that came into effect across Europe in 2018 was designed to provide this control and protect against data exploitation. But, more than that, it represented an opportunity to shift our attitudes towards data. The evidence suggests that this is still a work in progress. Many businesses still see data rules as negative stumbling blocks that they have to work around, while there is still widespread consumer concern over the way their data is collected. Despite the introduction of GDPR three years ago, YouGov’s research shows that 58 percent of Britons are still worried about how much data third parties have about them on the internet.

“As the world continues to embrace digital ways of living post-pandemic, companies now have the opportunity to transform the way they access consumer data. Those businesses that start to adopt more ethical practices and start giving consumers more power over their own data will be the winners when it comes to trust and loyalty in the years ahead.”

Darren Guccione, CEO & Co-Founder at Keeper Security “The introduction of GDPR three years ago has thrust the importance of protecting sensitive data into the limelight. Yet, despite this heightened awareness, data breaches are still a common occurrence and many organisations have to deal with the crippling financial, operational and reputational consequences of these attacks.

“Often, all it takes for cyber criminals to get the keys to the kingdom is weak encryption, plaintext storage and compromised user credentials. In fact, 81% of data breaches succeed due to weak password security and related controls. Organisations that want to properly protect themselves against data breaches therefore need to do two things in particular.

“First, they should provision an Enterprise Password Management (EPM) platform that provides necessary visibility and control over the entire organization’s password hygiene and security. Secondly, they need to ensure the solutions they deploy are built using a zero-trust framework and zero-knowledge security architecture.”

Nick Mills, General Manager, EMEA at CircleCI “GDPR has and will continue to mandate for businesses to meet strict compliance guidelines. With the regulation now at its third anniversary, security has rightly become a crucial consideration in software development - so much so that an entirely new word, DevSecOps, now exists - signaling security’s significance throughout every stage of integrated software creation and the delivery pipeline. But, acknowledging the importance of security is only the first step. The anniversary of GDPR acts as a marker for companies to be mindful about evolving and managing their own security.

“Businesses must take this moment to look towards technologies which allow them to manage their own security requirements relating to their sensitive keys or secrets. One capability which businesses should look out for in such technologies is a periodic rotation of secrets in order to limit any possible exposure and help prevent a breach from happening in the first place. Only once businesses prioritise their own security will they be able to successfully and securely share their sensitive keys among their team to build, test and deploy CI/CD across multiple projects.”

Tanzil Bukhari, Managing Director, EMEA at DoubleVerify “Three years on from the General Data Protection Regulation (GDPR) coming into effect, the relationship between advertisers, consumers and data is continuing to transform. Google Chrome is set to join Apple Safari and Firefox and sunset cookies by 2022. Meanwhile, Apple is also restricting the ability of advertisers to track consumers across apps on iOS. As such, the digital advertising technology that has enabled targeting and analytics for the last decade is entering its final stages.

“Businesses must act now to put in place solutions which can ensure both media quality and media effectiveness and can deliver meaningful ad experiences to the right audiences at scale, in a privacy-friendly way. Such solutions should focus on targeting ads through contextual intelligence and should allow for increasing collaboration between technology providers and partners. We can take this moment as an opportunity to build a stronger, safer and more secure ad ecosystem for all.”

Spencer Tuttle, Senior Vice President Worldwide Sales at ThoughtSpot “The anniversary of GDPR’s enforcement has returned but the debate about the right use of personal and corporate data has not slowed down since GDPR’s inception. GDPR made a requirement for enterprises to communicate openly with data subjects (customers, clients, and consumers) within the European Union. Unfortunately, the ability of many companies to fully adhere to algorithmic transparency requirements, or deal with complex requests from their data subjects, has not really grown over time.

“Understand that transparency is key in this value chain. If the enterprise can’t explore their data and decision-making via an easy analytics system it’s hard to know how executives can have any trust or understanding on how to make decisions, or to explain and justify them when called to by regulators. Modern data legislation requires modern solutions, not the spreadsheets desktop-driven data viz tools. To deal with the needs of evolving data regulations in the years to come enterprises require a modern analytics cloud to serve their customers, understand their business, and better manage governance.”

Drew Bagley, Vice President & Counsel, Privacy & Cyber Policy at CrowdStrike “A cybersecurity attack puts dramatic pressure on organisations, increasing the risk that GDPR’s security requirements will be breached. When an affected business unknowingly allows attackers time to embed themselves and obscure their activities then it makes the required mitigation much more complicated and costly.

Three years into the GDPR era, it’s prudent for every DPO and security team to take a long, hard look at their corporate threatscape, their technological approaches to compliance, and how they protect corporate data. As adversaries (state, non-state,criminal) have evolved their tactics, techniques, and procedures, the risks now faced are different than those conceived at the outset of GDPR, meaning the standard for what’s “appropriate” to protect data must evolve too.

For example, in an era in which credential theft is leveraged to commit data breaches, ‘Zero Trust’ is a modern approach to authentication that can be deployed to meet evolving security mandates. Don’t forget to focus on data protection holistically: The goal is to protect data wherever it goes, as opposed to meaningless metrics like ‘data never leaves the organisation’. Organisations that find themselves scared of data flows may inadvertently open themselves up to violating the security mandates of GDPR. This is why it is important to not only think holistically but also to see what the regulators do. Larger fines tend to focus on organisations that fail to protect data from a breach, mitigate a breach, or provide proper notice after a breach.

This means organisations should consider carefully the real risks to data protection and defend against them as per the spirit of the regulation.“

This was posted in Bdaily's Members' News section by Technology experts .