23rd May 2019
GDPR - One Year On
Comments on GDPR One Year anniversary from Imperva, LogMeIn, KCOM, Socialbakers, SailPoint, Veritas Technologies, Delphix, SAS UK & Ireland and Mitek.
The comments include:
- Spencer Young, RVP EMEA at Imperva, explains the urgency for companies to act now to ensure their organisation doesn’t suffer in the long run
- Gerald Beuchelt, CISO at LogMeIn, describes the importance of password security in light of GDPR
- David Francis, Information Security consultant at KCOM, explains how data privacy is now a recognised cornerstone in customer relationships
- Yuval Ben-Itzhak, CEO at Socialbakers, describes the future of businesses in light of GDPR
- Mike Kiser, Global Strategist and Evangelist, SailPoint, explores the cybersecurity implications of GDPR on businesses so far
- Jasmit Sagoo, Senior Director, Northern Europe at Veritas Technologies, believes that most organisations have done the bare minimum when it comes to data handling and storage, however GDPR has improved transparency
- Benjamin Ross, Director, Delphix, discusses how modern data masking solutions can help businesses easily achieve GDPR compliance by identifying confidential information, mask sensitive data values, and centrally manage data copies
- David Smith, head of GDPR technology, SAS UK & Ireland, explains that although we might all be bored of GDPR now, it’s the beginning of the new era of data privacy - businesses can’t just roll their eyes. Powerful data discovery is at the heart of compliance
- Rene Hendrikse, EMEA MD, Mitek, comments on the importance of mobile for customer service in light of GDPR – and which mobile technologies are helping businesses comply with regulation while ensuring customers have the best and most secure online experience
Full comments below:
Spencer Young, RVP EMEA at Imperva:
“GDPR has fundamentally changed the UK’s data protection landscape. The regulation has meant that regardless of the industry or location, any business that holds and processes personal data must prioritise data protection. But have organisations learnt anything in the past year when it comes to protecting their data?
“One year on, the majority of businesses in the UK are not taking GDPR seriously compared to those outside the EU. There is an obvious lack of awareness amongst organisations who don’t take into account the potential consequences of failing the requirements. According to Hiscox, in a survey of SME’s in the UK, nearly 40% of them did not know who the legislation even affects.
With large brands such as Google already tripping up on their GDPR journey, it comes as no surprise that other businesses are following suit. In March this year a medium-sized Polish company were fined 220,000 EUR, because they did not tell people that their data would be processed. GDPR is not just about data breaches.
The single fine levied against Google of 50M EUR accounted for nearly 90% of the 56M EUR in total fines imposed during the first 9 months of the legislation being enforced. That in itself tells a story.
“The UK government in particular are not being hot enough on compliance. To many organisations the pandemonium of GDPR was left behind in 2018 and seemingly replaced with the confusion of Brexit. What’s even more worrying is that the threat of hefty fines and damage to brand reputation is not acting as a strong enough deterrent.
“However, what organisations need to consider is that citizens are now becoming more conscious of the importance of protecting their data and have no problem with issuing complaints. With over 95,000 complaints coming from citizens within the first 9 months of the regulation coming into play, companies must immediately assess how to safeguard user information and protecting people’s privacy.
“The bottom line is that organisations must address GDPR compliance by implementing data-centric protection measures. There must be a close focus on securing data where it resides and everywhere it travels across the network to ensure no data is left unprotected. Security measures must focus on the data itself – endpoint and perimeter protection are important, but if the data itself is still at risk, the problem remains.
“Ultimately, with the numbers of GDPR-related complaints in Europe on the rise, companies need to act now to ensure their organisation doesn’t suffer in the long run.”
Gerald Beuchelt, CISO at LogMeIn:
Password security and GDPR
Data protection at LastPass, a SOC 2&3 certified password manager
GDPR came into place a year ago today. The regulation gives people more control over their personal data and requires data processing companies to exercise greater care and security when dealing with customer data and third parties. In this context, passwords play a particularly important role – on the one hand, they ensure that access to data processing companies is secure so that only authorised users can access information. On the other, customers of these companies use passwords to access digital services. Password security must be effective in both areas. It is not uncommon for the same password to be used across multiple accounts or to be jotted down for everyone to see in the event that a password is forgotten. Password managers help to keep track of credentials and safely handle the authentication process. They generate secure passwords for users to access each of their accounts and store them in a central repository acting like a vault.
LastPass, the market leading password management solution, attaches great important to the safety of customer data:
“We have invested heavily in our own privacy to ensure that we are a trustworthy, secure and reliable company. Additionally, we have developed our products to ensure they comply with European privacy policies including GDPR. The security of LastPass is based on a zero-knowledge security design. This means that neither LastPass nor LogMeIn, as SaaS providers and hosts of their customers’ login details, have access to any user passwords. Encryption takes place exclusively at the device level before the data is synchronised with LastPass and stored securely. The LastPass vault can therefore only be decrypted by the users themselves with the master password, which is never shared with LastPass. Our motto is: If we cannot access customer data, neither can hackers. LastPass has also recently achieved several security compliance certifications including SOC 2 Type II, SOC 3 Type II examinations. Since we have invested in high data protection right from the start, the certification serves as a seal of quality to the outside world,” explains Gerald Beuchelt, CISO at LogMeIn, the brand behind LastPass.
David Francis, information security consultant, KCOM
“GDPR has set a precedent in its first year. Data privacy is now a recognised cornerstone in customer relationships. Companies must be able to take good care of the personally identifiable information they hold, or risk suffering major reputational damage.
“Compliance depends on having a clear system of control over your IT infrastructure. If you’re holding data on your customers, do you know where it resides? Do you know which cloud infrastructure elements are hosting which data? Heavily siloed, sprawling IT landscapes can spell disaster if you can’t control them.
“Companies holding PII need to work with a partner to ensure they have clear policies in place for data control, including managing their cloud infrastructure in line with GDPR requirements. Following Google’s €50m fine from CNIL, the rubicon has definitely been crossed – those companies that fail to put the work into building compliant systems will pay the price in the end. Now’s the time to act – get your systems in line before your customers are negatively affected.”
Yuval Ben-Itzhak, CEO, Socialbakers:
"Today we mark a year since GDPR came into force across the EU. It is encouraging to learn that other regions are also looking to adopt it as well. GDPR brought privacy to Board rooms and front pages and made everyone re-think about what and how they deal with digital data. GDPR made a paradigm shift for many businesses and marketers. Now innovation takes the lead to provide a GDPR-safe business reality where personalized experiences and new business can still be created without compromising privacy."
Mike Kiser, Global Strategist and Evangelist, SailPoint:
“Europe’s data privacy regulation shook up the privacy world by imposing some of the strongest consumer protection laws of the last 20 years and inspired even stricter laws in other parts of the world. GDPR created a single breach-notification regulation for the entire EU with the goal of protecting personal data of EU citizens.
“So, one year in, how are organisations fairing under GDPR? So far, there have been over 64,000 breach notifications, and regulators in 11 European countries have imposed $63 million (or £49 million) in fines. And these are just the first signs of a large wave to follow. With only 29% of EU organisations GDPR compliant, the breaches and fines will continue to happen. This reminds us that our identities comprise not just our attributes, but all personal data that relate to us.
“With one year under its belt, it doesn’t look like the GDPR is going anywhere anytime soon. By assessing risks with identity governance at the forefront, an organisation can create a roadmap to prioritise and remediate the most pressing regulatory gaps, and thus effectively control and secure the organisation’s data.”
Jasmit Sagoo, Senior Director, Northern Europe at Veritas Technologies:
“One year on from GDPR, the reality is that most organisations have done the bare minimum when it comes to data handling and storage.
“Generally, they’ve aimed to remove risks in two ways. Firstly, by deleting old data that is no longer necessary. Secondly, by taking steps to reduce risk of litigation. This could be through consent forms on websites that ask customers to allow them to use their data, or through emails informing customers of the new GDPR rules and that they hold information about them. Rather than correcting underlying data management challenges, these organisations are simply doing just enough to avoid any legal issues.
“This relaxed approach to data protection is being driven by the lack of GDPR fines and reprimands for companies that have fallen foul of the regulation.
“However, there is one way that GDPR has worked: through improving transparency.
“High-profile data breaches have made consumers increasingly cautious about what data they share, where it’s being stored and who it is accessed by. Our research has found that poor data protection can have a dire commercial impact on companies - 56% of consumers would dump a business that fails to protect their data, and 47% would abandon their loyalty and turn to a competitor. In the last year, when organisations have had a breach, they have taken the correct measures to reach out to customers. This allows customers to update their passwords and protect themselves. In an era of fake news and corporate suspicion, this honest approach has truly benefited the consumer.
“However, transparency alone is not enough. Going forward, it’s likely that law firms will begin to monetise GDPR by encouraging consumers whose information has been misused to seek compensation, and those organisations that have taken shortcuts may wish they hadn’t. To prepare for this, businesses need to ensure they have full visibility and control of the data they hold. It’s critical that they make use of technology that can help them locate, protect and manage data, before it’s too late.”
Benjamin Ross, Director, Delphix:
“25th May marks exactly one year since GDPR was fully implemented. The overarching data protection law concerns personal data and applies to all European Union (EU) residents as well as any company or entity that markets goods or services to EU residents.
Since implementation, the effects of the regulation have rippled across the region with around 65,000 data breach notifications to date.
Organisations have been fined a total of €56 million over the past 12 months and we have even seen giants like Google trip up in their compliance efforts and receive hefty fines in return.
If there is one key takeaway from the last year, it is that security begins at the point of inception.
In today’s digital-first business landscape, software maintenance, development and testing is a critical factor. But non-production development and testing environments, vital as they are, pose an enormous increase in the surface area of risk and are often the soft underbelly for GDPR compliance.
In order to minimise the risk of non-compliance, it is no longer enough to play defensive. Organisations must proactively protect personal and confidential data if they are to stay compliant and remain secure. Modern data masking solutions can help businesses easily achieve this by identifying confidential information, mask sensitive data values, and centrally manage data copies.
As we step foot into the second year with GDPR, it is important for organisations to understand that a foundational change in how data is accessed, managed, secured, and leveraged across the enterprise is key to staying compliant, dramatically reducing your company’s risk of a data breach and innovating at pace.”
David Smith, head of GDPR technology, SAS UK & Ireland:
“All that the first year of GDPR enforcement has really shown us is the depth of confusion over the regulation. It may be the topic that we’ve all heard enough about, but the simple fact is that widespread compliance simply hasn’t happened - although not necessarily through a lack of will.
"That’s not a reason to give up. GDPR compliance is one of the most important issues facing businesses today. Not because of fines or reputational damage - although those are big issues - but because GDPR is the first wave in a new era for data privacy. The business of the future is going to be built on the cultural foundations of GDPR, with the needs and security of the end-user at its heart, so it’s essential to align with that thinking now.
“To do that, companies have to understand the data they hold, where it originates, where it resides, where it travels and who uses it. They need to be able to decipher the digital labyrinth of their supply chain, as well as considering how the growing number of connected, consumer-facing things will impact the spread of personally identifiable information.
“To understand the ever-growing mass of customer data with which they’re faced, companies will need help. By implementing advanced analytics and AI-enabled systems, organisations can gain access to real-time, actionable insights about the state of their data landscape. That in turn will enable them to plan effective, targeted compliance programmes.
"Having a deep and constantly updated understanding of the data you hold also makes it easier to comply with privacy rights activations. Customers can request to be forgotten by your organisation or in some circumstances ask for an explanation of the decisions which concern them. Only through systematic analysis of the data can you root out every last occurrence of personal data that could otherwise come back to haunt you, and only through detailed analysis of your data flows and analytical models can you truly understand your decision making process. Our research found that the majority (56%) of consumers had plans to activate their rights in the first year of GDPR, so the risk is high.
“GDPR’s first anniversary may be an artificial milestone, but the importance of compliance is very real. Organisations need to equip themselves with advanced analytical tools to ensure they stay ahead of the curve."
Rene Hendrikse, EMEA MD, Mitek:
“Data privacy is unarguably the cornerstone of GDPR – but a year on, it’s no longer all about data. GDPR presents businesses with an opportunity to put what customers want first, beyond just data privacy and security.
“Take customer service. Long before GDPR, the best practice for responding to customers has been ‘in situ’ – through the same channel they reached out on – giving birth to ‘conversational commerce’. Research last year found that a majority of consumers prefer to use a messaging app to communicate with companies, and that 79% of millennials would rather use any method other than the phone for customer service. What’s more, there’s a sense of urgency – 54% of consumers want to hear back from a company they’ve messaged within one hour, and only 1% think it’s acceptable to wait more than a day.
“However, in the post GDPR-world, responding to a customer fast, in situ – and via a compromised platform (of which we’ve seen quite a few, including WhatsApp) – seems practically unthinkable. Brand risks associated with using a compromised app as part of the notification process when things go wrong – especially when there is no alternative means of communication – can be a terrifying predicament. This is why serious investment in the mobile channel for customer service is a must. As customers are increasingly reaching out to businesses on mobile, in a variety of ways, it’s time for businesses to adapt.
“The need for speed and ever-evolving customer expectations, combined with GDPR, have led to a complete overhaul of business models when it comes to data privacy. This has particularly impacted marketing, sales and customer service departments. For example, as the sharing economy continues to grow, companies are turning to technology to onboard good customers securely and in compliance with GDPR, as well as other EU regulations designed to protect against nefarious activity. For example, technology such as identity verification makes this process simple. A consumer can take a photo of an ID document, and AI is used to verify its authenticity. Then, biometric face comparison is used as a second layer of authentication to compare the ID document image with a selfie of the customer. All these advancements in tech mean businesses can attain improved data privacy and better, faster customer service.
“Investing in mobile technologies is a no-brainer a year on from GDPR. With data privacy having come on leaps and bounds in just a year, the next round of GDPR compliance will be simple: giving customers what they want.”