Attributed to Greg Day, VP and CSO EMEA, Palo Alto Networks
Commenting on the GDPR’s second anniversary, Greg Day had this to say: “Like much else, GDPR compliance is under strain right now. There’s no doubt there will be a GDPR debt coming out of the COVID-19 crisis. The immediate switch that many organizations have had to make to new methods of online collaboration, with nearly everyone forced to work from home, has meant security and privacy have needed to quickly adapt and catch up to very significant change.
As we approach the second anniversary of GDPR’s implementation, one of my primary concerns is that somehow the educational purpose of the regulation has been lost. We seem to be missing the opportunity to help organisations learn from their mistakes and for me, that was one of the good things that GDPR was designed to do. GDPR was framed to provide a roadmap for continuous improvement in organisations’ privacy and security posture. However, I do not believe there has been any major international curation of common mistakes that small, midsize, or large enterprises can make inadvertently with regard to GDPR compliance, and how to avoid them. Organisations would value such insight, especially in the current crisis.
Legislation must be written to be technology-neutral, the simple reality is the two evolve at very differing paces. I learnt the need for this many years ago supporting the Budapest convention, which is the basis for many countries’ cybercrime laws; these were written around impact rather than technology. However, even principle-based GDPR could not predict how fast technology is changing both what and how we digitally exchange data.
Two years is a long time in technology and there is certainly a need to reassess how GDPR principles apply to new technologies and to changed data flows. Further, some interpretation and implementation have been uneven within EU member states. It is important to ensure it is clear how GDPR applies within major technological changes. For example, since GDPR came into effect, there has been a move by many organisations to the cloud, which has become much more mainstream with massive adoption rates. There is a need for organisations to reflect on how GDPR applies as data flows to the cloud in larger volumes than anyone expected, to document the specific risks and the gaps that come with that, and to define a roadmap of continuous privacy and security improvement.
What’s striking to me is still how few organisations really know where their data sits in the cloud, who has access to it, and remain confused about their security responsibilities. For many Covid-19 has accelerated this process, challenging security teams’ readiness because of a shift in focus and a more distributed workforce.
All regulations, GDPR included, must be applied to this and to newer technology waves, like the approaching interconnectivity impact of 5G networking and ubiquitous device proliferation.
We are only starting to understand the new normal for work, but regardless of the current difficult situation we should take time to reflect on how organisations must keep evolving their GDPR compliance on the road of continuous privacy and security improvement to protect our online societies and economies.”