Organizations have been working on their GDPR posture to comply with the EU regulation ever since it went into effect in May 2018. Now, 2½ years later, the effects of GDPR on data and privacy are starting to be seen far and wide. And while most companies have learned to deal with the demands of the GDPR, many still face challenges.
In many ways, data is comparative to oil — “data is the new oil” is a commonly used phrase these days. It’s essential, valued, and extremely lucrative. Everyone is holding onto information and included in that data, often personal data is found. Data mining is an enormous industry, extracting value and turning people into products that can be sold to and traded. However, the GDPR is now keeping big data exploiters in check and is giving the people (data subjects) the power to choose how their data should be used by anyone who holds it (the controller or processor of their data).
Regulating the data commodity
Companies that are data controllers and processors of data subjects’ data should now be acting within the regulation. Among other compliances, they may not use personal data without the data subject’s explicit consent. Personal data is not only the name of the data subject; it extends to phone numbers, bank account details, IP addresses, photos, and sexual preferences. It even includes phone or device MAC addresses, browser history — any data that can identify a person. The context is expansive.
The regulation helps to build confidence with consumers as it demonstrates the data is being used for the purposes it was collected for and that the information is safe.
The regulation defines and demands accountability from organizations on how personal data is processed and protected. It is clear that if an organization does not take GDPR seriously, the data subject should beware and cautious regarding the data and that the potential for nefarious activity is likely. As two years on, the regulation has been out long enough for organizations to show diligence and due regard.
GDPR boils down to organizations handling data subjects’ data on the data subjects’ terms, and data subjects’ being able to trust organizations with their data. This trust, if abused, allows for the data subject not only to seek compensation but to get resources through the supervisory authority which regulates the jurisdiction. Moreover, as the regulation was normalized throughout the 29 countries, there is cooperation, so it’s simpler to enforce.
Currently, GDPR is a comprehensive regulation that protects EU consumers by holding organizations (controllers and processors of personal data) to a standard of governance and security for personal data and instills firmer security controls and audit measures.
GDPR challenges organizations continue to face
- Realizing the compliance benchmark
Without a doubt, GDPR is positive; however, two years on, many businesses continue to struggle to achieve the compliance benchmark. There are several reasons for this, including the following challenges:
- Many organizations don’t know where their data is; the data is spread far and wide. It’s on servers on-premises, in the cloud, on devices at home, at the office, on backups — scattered everywhere. There is no definitive list of where the data is, what it is, and the contents of the data.
- Many organizations over the past two years have struggled with clarity regarding the data exposure. Knowing which data is exposed, the level of data exposure of the data, and what the contents of the actual data are. As the users are continuously creating the information on their remote computers, servers, cloud, and platforms, this adds to the challenge of remaining up to date and informed.
- Many organizations don’t know who has access to the data. A lot of the time, organizations believe they know, but when challenged, it’s clear they are not explicitly aware. For instance: IT usually has access to all data, third parties that support the company, they too have access, and the service providers that host the data and manage the environments also have access. It is very easy for data to go from an internal user to an external user and then get lost in either. Ultimately this means that the company falls out of compliance. So, for many organizations, lots of work remains to ensure a robust handle on where the data is and who has access to it.
- It means that many organizations still do not possess reasonable controls around the personal data to ensure absolute compliance with GDPR, even though many advocate compliances. It could be down to being unaware rather than an act of deception. However, if there is a breach and data is compromised, either way, the organization will be held responsible.
- Secondary data challenges: Mass data fragmentation
With the growing threat of cyberattacks and ways in which data can be compromised and stolen, organizations of all sizes are finding it challenging to keep their data secure, out of the wrong hands, and to meet GDPR policies for compliance and security.
The majority of data, commonly more than 80 percent of secondary data within an organization, is located within backups, archives, object stores, filers, and test or development environments. This siloed data is spread across an assortment of products and locations, including on-premises and in public cloud infrastructures.
Secondary data, for many organizations, can become nearly impossible to manage long term. Additionally, there is the aspect of multiple copies of data that organizations must contend with — this can be excessive amounts of the same data stored in various clouds. It is unreasonable to imagine that all this data is appropriately managed and that all organizations continuously and appropriately control personal data. A lot of the time, there is a lack of visibility, which results in the inability to properly locate the data and take the necessary actioned required to comply with the regulation. Two years on, organizations continue to struggle with the intricacy of data handling on many fronts.
- Tracking and advertising
From a data subjects’ point of view, where are organizations deriving their identities from their online behaviors and identifying them as unique data subjects? Subsequently, selling this data is a contravention of GDPR. It is an area of concern that exists and should be considered.
Solving these challenges and more: Steps organizations can take
- Consolidate systems and storage so that data is not spread out on every online and private storage platform. Where data is stored, encrypt it so that the data can be protected. It includes data that sits in backups.
- Secure data against unauthorized access. Use the rule of least privilege and always use multifactor authentication (MFA) for all platforms where possible. If the platform does not support MFA, put it behind a portal that does.
- Back up all data and make sure that the data is not left on a system without robust access control when stored and transmitted.
- Audit the data and track where it goes and who produces the data. Knowing where the data is and goes is key to protecting it.
- Automate where possible data retention periods. It will help take data offline, so it’s not exposed and also track what data the organization is holding.
- Employ appropriate tools to do this work, wherever possible, to ensure the GDPR obligation is being met.
How GDPR empowers people and organizations
The GDPR has empowered the public and made them aware of their data rights. It is assisting data subjects’ retention and control of their personal data. From an organization’s perspective, the GDPR has brought improvement through setting one set of rules for all organizations to abide by. It has leveled the playing field for organizations processing data of EU citizens, whether the organization is located in the EU or not — all are bound by the same rules.
Before the regulations, some organizations were abusing data subject’s rights, using data as a lucrative commodity without proper consent and the data subjects’ visibility and knowledge. Two years on, the data subjects are protected, and the regulation will continue to become more ingrained in what we do, and the evolution is favorable.
The GDPR is meeting many expectations, but future improvements are also apparent. Perhaps two years on is too soon to draw any complete conclusions as to its application as many organizations continue to tackle many compliance challenges. Nevertheless, with further experience gained, we can expect other improvements to be likely in the long-term.
Featured image: Shutterstock