Now that we’ve seen the May 25 deadline for the EU’s General Data Protection Regulation (GDPR) come and go, all personal data will be secure, and consumers will no longer need to worry about leaks, exposure, and breaches of their information. Right?
Maybe things aren’t quite that utopian. Still, GDPR has surely bolstered consumers’ security expectations and encouraged many organizations to revisit their security posture, especially those not otherwise bound by sectoral privacy regulations such as PCI-DSS and HIPAA. It’s likely that the security improvements in response to GDPR will continue to accumulate over time, even if there are few visible changes in the short term. So, is the world now a more secure place, and what else needs to be done to assure the public about the use of their personal data?
Here, we will review the short-term outcomes of GDPR, consider potential effects in the future and present immediate actions that individuals can take to secure their data and reduce the volume of their personal information held by companies. We also recommend short- and long-term strategies for organizations that want to publicly assure consumers of their commitment to data protection, considering the current availability of third-party attestation and certification programs, and provide advice for vetting privacy professionals and audit firms.
With such a brief time under GDPR, it’s hard to tell whether there has been any true reduction in security incidents involving personal data. When Australia implemented new data breach notification regulations in February 2018, the number of reports skyrocketed. In the first six weeks of the new law, 63 breaches were reported, in comparison with only 114 for the entire previous year. The increase was almost certainly due to greater reporting rather than an increase in absolute breach numbers, and it will take time to see measurable improvements in actual security.
In the short term, there are many factors impeding GDPR-related changes to security. Many organizations are overwhelmed with or confused by the requirements and feel a sense of defeat. Others want to avoid being the most egregious in non-compliance to avoid penalties but are hesitant to sacrifice profitable practices before their competitors, creating a sort of prisoners’ dilemma. Others have taken advice primarily from legal counsel, who may focus on contractual requirements rather than the vague security principles briefly covered in Article 32, which lack measurable objectives. There is little actionable guidance from the newly implemented European Data Protection Board or the Article 29 Working Party it replaced.
Individuals also are quickly finding new options to access, modify and export their personal data, which could revitalize a sense of genuine data ownership and control for the public. However, in the rush to formulate a process to comply with the data subject rights in Articles 15 to 22, inexperienced organizations may struggle to consistently acknowledge and process these inquiries—especially where these processes are manual (i.e., firstname.lastname@example.org). What is the impact? If the organization fails to meet customers’ expectations by mishandling requests or forcing them through a tedious and difficult process, customers will lose confidence in the organization’s security and data protection. Also, these expanded consumer rights present new avenues for malicious phishing attacks that may inadvertently lead to a data breach as organizations attempt to deliver personal data back to the data subjects or other organizations when honoring access and portability requests.
Compounding the challenges, there is not yet an Article 42 certification framework, nor is there any formal mapping to or recommendation of some other framework to follow such as ISO 27001. Finally, without any successfully enforced fines to date, many organizations are choosing the “school of fish” strategy common when the Gramm-Leach-Bliley Act (GLBA) was implemented in 1999. Astute governance, risk and compliance (GRC) managers may skim through some general requirements while saving most of their remediation energy and budgets until it’s clear which requirements will be heavily enforced.
Despite these challenges, the GDPR likely will have a cumulative impact, with organizations adopting responsive security measures based on enforcement precedent and certification frameworks. If supervisory authorities emphasize security in certification requirements and punitive enforcement, organizations’ risk appetite will adapt to the new environment. Like Australia, the court of public opinion may hold even more sway due to the reputational risk associated with data breach notification. The B2B ecosystem will also move security forward incrementally, as enterprise vendor procurement and oversight programs will incorporate GDPR-compliant security expectations.
This requirement also places significant pressure on organizations’ strategic plans to grow the confidence of its customers, partners and shareholders. Organizations will need to consider their financial investments in solutions to manage risk appetite more than ever before. This may include the implementation of industry best practices for security, upgrading security appliances and mandating continual training for staff. For publicly traded organizations, data privacy and security budget and level of effort will be a frequent and expected boardroom topic.
Initially, consumer confidence may dip during the period in which data breach notification becomes more common. However, organizations with strong monitoring technology and well-considered incident response plans can retain some of the trust lost after a breach. Consumers will expect communication and transparency after their data is leaked, and excellent post-breach customer service can salvage some of the damage. Let’s learn from the useless Equifax data compromise-checking tool debacle or the official Equifax Twitter account directing users to a spoofed website. Organizations that have implemented GDPR-compliant incident response plans will be ready to accept responsibility and provide consumers with information about why the breach happened, how they may be affected and what the company will do to mitigate the damage and prevent future incidents.
While much of this potential progress may only materialize over months or years, proactive organizations can use the GDPR as an opportunity for greater engagement with their user communities and enterprise customers right now. Annual privacy notices and program updates can improve consumer confidence, while soliciting user feedback for a privacy by design program could strengthen relationships with the organization. This is also a fitting time for consumer education campaigns to teach users about privacy rights and good security practices. Organizations can develop user rapport and a reputation for transparency by educating consumers about data collection and processing, providing clear and detailed information on any data-sharing arrangements or legal disclosure obligations, and explaining user choices and rights for all uses of personal data.
With so much focus on organizational compliance and privacy adoption, it’s easy to overlook the important role that individuals can play as their own privacy and security advocates. Educated consumers understand their rights as data subjects and can play a critical role in advancing GDPR-compliant security practices. Motivated individuals can use their rights to rectification, objection, portability and erasure to “vote with their data” by withdrawing access to their information from negligent organizations. Individual privacy activists can also act as whistleblowers and submit complaints to supervisory authorities or even lawsuits against companies in violation of the GDPR. When certifications and industry codes of conduct become available, consumer pressure can encourage adoption of the frameworks. By exercising their rights, data subjects can create a more secure world for themselves immediately, even if the baseline for organizational security takes some time to reflect GDPR-related progress.
Recognizing the long runway for observable security changes, what can organizations do right now to assure consumers of their commitment to the security practices which make privacy possible? Until the supervisory authorities implement certification frameworks, attestation of GDPR compliance by a qualified independent audit firm paired with relevant security certifications such as SOC or ISO 27001 will have to suffice. It is critical that organizations only work with competent and qualified assessors to avoid costly mistakes or poor advice. Look for professionals with both security certifications such as the CISA or CISSP paired with the CIPP/E. Avoid expecting technical advice from legal counsel and involve the security team in GDPR remediation planning. Provide consumers with transparent information about your security program and accept any feedback or criticism from individuals.
GDPR enforcement actions likely will begin to trickle into the news soon, and organizations should take these cues to hone in on critical vulnerabilities. Those who are prepared and first in line to complete certifications as they become available will earn excellent PR and strengthen their consumer reputation. Don’t forget about upcoming legal developments such as the looming ePrivacy Regulation. Consider the public perception for incident response planning and keep communication channels open for consumers to submit security concerns. You’ve made it this far, but it’s not time to relax about GDPR security just yet.