Today marks the first anniversary of the launch of the General Data Protection Regulation (GDPR). For many, the past 12 months have been a steep learning curve from a data privacy perspective.
According to recent research from Gartner, "accelerating privacy regulations" has overtaken talent shortages as the number one most concerning risk to businesses in 2019. For many companies, complying with privacy regulations is viewed as more burdensome, complex, and costly than they anticipated.
One thing we know for certain is that GDPR has set off a chain of events, as more regulations are on the horizon around the world. Take the California Consumer Privacy Act, for example, which is due to take effect on January 1, 2020; this raises the thorny specter of even greater complexity, certainly in the U.S., if all states decide to go down the route of having their own compliance rules. Companies already have to deal with conflicting compliance regulations in a range of areas—the last thing we need is another layer of data regulations on top of this.
That’s not to say that we shouldn’t be celebrating GDPR’s birthday.
Off to a good start
From a legislative perspective, GDPR has provided a good start. For example, it has required GDPR-compliant companies like ourselves to ensure that subcontractors and vendors dealing with any private data have, at the very least, a minimal set of security controls in place. These vendors are now requiring the same from their vendors. It is not only security controls, but also the ability to meet the obligations of data protection specified in GDPR that is required.
GDPR has brought increased awareness of this for a lot of small businesses. Before, someone could spin up a marketing company without having to attest to any controls—now they can’t do that. This is a big difference in a year. So there has been a very positive change from an awareness and knowledge perspective; too many companies had little idea about security policies or data privacy until GDPR arrived.
So, while we’re not really sure yet how the penalties are going to play out, I would say that from a security and privacy perspective, GDPR has absolutely had a positive effect.
However, one area in which GDPR has been less than ideal is in defining what private data is—for example, thinking of an IP address as a piece of private data is in many ways antiquated. The reality is that what we perceive as private data is changing and evolving, and GDPR may not have kept pace with that. While we consider names, email addresses, and physical addresses as private data today, the goal posts are shifting. And this is turning privacy and compliance into a wormhole.
Changing attitudes to privacy
I expect to see a huge revolution in our attitudes and definitions of private data over the next few years. For example, many in the security sector found it odd that consumers didn’t realize that Facebook sold their data. Facebook has done incredible things and changed the world and they have funded this by utilizing the data that they collect. It’s a fact known by many in the security, privacy, and technology sector, but the masses have not understood this model. For companies using this model it allows them to give consumers services for free in exchange for monetizing the data they collect.
The challenge is that we don’t yet have the answers. The real privacy experts would have no one share anything with anyone, but this is unrealistic. The reality is you walk down the street and you’re on a camera. You may think you’re protecting your data, but you run anything on any mobile device and it is tracked. Tracking is everywhere at all times, and we give up our privacy every day and get benefits from that—retailers have been doing this for years with loyalty cards. The truth is the data itself is not as interesting as the insights it can provide. Tracking data provides information on where you go, how fast you go, and how often you go. Combine that with map and city data and you can see that a person is going to a hospital often, they drive too fast, and they visit “bad” parts of town. Insurance companies may want to know this to set appropriate rates—and that’s just the tip of the iceberg.