Six months ago, May 25, 2018 to be exact the General Data Protection Regulation (GDPR) came into effect in the European Union – but its implementation happened with a "whimper" rather than a "bang", says an industry expert.
The regulation falls under EU law and deals with data protection and privacy of individuals within the EU and the European Economic Area. Among the biggest prescriptions of the policy is that companies notify authorities when data breaches occur – in a time frame of 72 hours.
Patrick Grillo, senior director of solutions marketing for cybersecurity firm Fortinet, shared with journalists at a conference in Sophia Antipolis, France this week, the impact of the policy.
Even some companies not based in the EU, but which do business impacting EU members, elected to adopt the regulatory protocol.
But what happened since May 25?
'Catastrophic' data breach
British Airways experienced a "catastrophic" data breach. There had been data breaches in other companies too – but not as significant as that of the airline.
Facebook had another data breach, hot off the heels of the Cambridge Analytica saga which exposed violations of data protection rules by the social media network.
Grillo said that also in the past six months, there had been fines issued to companies as a result of non-compliance with GDPR. But there is not a silver bullet of how regulators will react – especially in light of the high-profile breaches like that of British Airways or Facebook.
"It depends on how negligent the companies were, how prepared or unprepared they were," he said.
Certainly in the past six months the very issues have sprung up for which the GDPR was designed in the first place, he explained.
Grillow said that it was not possible for all companies to already be compliant with the regulation when it came into effect – but companies need to have had a plan in place to indicate that certain actions will be taken in the event of the breach.
Grillo pointed out a shortcoming in the regulation, namely that it is not guiding companies on how to be compliant.
"Here is a regulation telling you to do something, but not telling you how to do it," he said. Essentially organisations are left figure a way from point A to point Z, without a roadmap, he explained.
There's a range of things that had to be changed, from the technology to the legal contracts which had to be updated.
Grillo also pointed out that there was a lack of cyber security technology mentioned in the policy. Similarly, organisations' actions echoed this. In an effort to be compliant, companies have placed more priory on data privacy than data protection – when in fact these two things should be prioritised equally, he said.
So for example, they have been proactive in avoiding fines by reporting breaches within the required time frame, but risk management or preventing the actually data breaches from happening has been secondary.
"Data privacy and data protection must be equal aspects of any organisation's GDPR preparations, but data privacy took all focus because it is most visible," he said. Grillo argued that focusing on data protection, would help companies avoid a fine, even if they had a data breach.
He elaborated that when a cyber attacker enters a network there is still the aspect of retrieving the information or misusing it. When a hacker gets into a network there is window of opportunity in which they get what they want, or try search for something of interest. The aim of data protection is to minimise that window so that no damage is done through the breach.
Breaches will continue
In his closing remarks, Grillo said that leading up into 2019, data breaches would likely continue to happen. "Data protection and data privacy is here to stay," he said. "It is part of the landscape that a company needs to take into account, as part of risk management of how to do business."
Other countries round the world, such as the US, are also considering introducing regulation similar to GDPR, he said.