The GDPR Honeymoon is Over

June 13, 2022

Accountability is a foreign concept in most global political arenas, but it does hold a bit more weight when assigned to global corporations. Four years ago, last month, May 28, 2018, the European Union changed the face of information privacy and rewrote the meaning of organizational security and information risk with the passage of the General Data Protection Regulation. GDPR is a regulation in EU law regarding data protection and privacy in the European Union and the European Economic Area. The GDPR is a vital component of EU privacy law and of human rights law.

The law redefined what personal data and consent meant, imposed new data subject rights and brandished stiff penalties and fines for those not in compliance. GDPR became a compliance milestone for anyone who processes EU citizens’ personal data, while it has provided a harmonized standard for almost 500 million citizens. Despite the global impact, many influential countries like the United States, China and Russia have failed to adopt a national privacy regulation standard, unlike countries like Bahrain, Israel, Qatar, Kenya, Nigeria, South Africa, Japan, New Zealand, South Korea, Argentina, Brazil and Canada that have done so.

In the U.S., however, one state, California, did mirror the EU with a privacy law of its own. The California Consumer Privacy Act (CCPA) is a state privacy law that was signed by Governor Jerry Brown on June 28, 2018 and became effective on January 1, 2020. It grants consumers rights with respect to their personal information that is collected by businesses and requires businesses to be transparent regarding how they use personal consumer data. On March 2, 2021, Virginia passed its Consumer Data Protection Act (“CDPA”), the second comprehensive consumer data privacy law in the United States. The CDPA will go into effect on January 1, 2023. The CDPA applies to persons or entities that conduct business in Virginia or produce products or services offered to Virginia residents and that “control or process” personal data. The states of Washington and New York are also looking for fast-track similar privacy legislation.

But as global political and social issues tug at the political fabric of information privacy not just in the EU, data privacy experts are worried that evolving cyber threats might undo some of what GDPR has accomplished.

“Now four years into the launch of GDPR, organizations must act to replicate their data across data centers in different countries and secure their encryption keys. While it is clear that the regulation has been fairly effective in keeping data within European borders thus far, other external influences such as international conflict and cyber criminals becoming more sophisticated are now throwing GDPR, and data privacy in general, through another loop,” says David Friend, co-founder and CEO, Wasabi Technologies. “No one knows what the geopolitical atmosphere will be like or how cybercrime will have evolved in, say, five years, and organizations do not want to end up in a situation where their data access is cut off due to war ransomware, or other cyber threats. Therefore, effective data replication and encryption practices are more critical than ever.” 

Adds Robert Former, CISO and VP of Security at Acquia: “GDPR forced the world to think about privacy in technology and how to build future technology that meets what GDPR requires. Companies have learned that when it comes to regulatory and compliance matters, paying attention after it’s too late can quite literally cost them everything. So, GDPR has also forced companies to take security seriously. There is no such thing as too much security and it’s important for companies to be sharply aware of their data i.e., what data you have and need versus what’s not necessary as well as understanding the controls legally required to accompany that data.

As we trend toward a data environment that’s increasingly regulated, bringing security into C-suite discussions becomes even more critical. We are out of the honeymoon phase, next is more enforcement.”

About the Author: Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology ExecutiveSecurity Business and Locksmith Ledger International and top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected]

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]