Now that the one-year anniversary of the General Data Privacy Regulation (GDPR) has passed, it's time to ask the tough question of whether companies are really celebrating or cursing these consumer privacy mandates. GDPR has paved the way for even more regulations, but are these regulations helping or hurting security?
Try not to scoff at the dreadfully annoying answer: It depends.
"Much of the weight of GDPR efforts and costs fall on legal and compliance teams, who often need to deploy new technology for data discovery and inventory, data flow mapping and monitoring, privacy and risk assessment, and data subject access request [DSAR] management," says Chris DeRamus, co-founder and CTO of DivvyCloud.
For those organizations, GDPR is helping considerably. Given the large streams of data companies are collecting, data mapping has been a challenge for many of them. Historically, manually updated spreadsheets yielded a false sense of security, but GDPR is starting to change that, says Kristina Bergman, CEO of data privacy automation solution Integris Software.
But for others, compliance has been added to the pool of teams all competing for the same resources.
The Bright Side
From a CISO's perspective, the implementation of GDPR has been helpful because security teams now have the ability to prove they are doing what they say they are doing, Bergman says.
"If they get audited, they have to prove their practices are appropriate to the data," she says. "What the regulations are forcing is a technology solution to data mapping."
According to the recent "Integris Data Privacy Maturity Study," nearly half (49%) of organizations are now taking inventory of personal data and where it resides in real time. CISOs are increasingly understanding that the tasks of proving they deleted or secured someone's data in the right way requires technology to replace manual data mapping practices, Bergman says.
Indeed, the GDPR mandates have had some positive effects on both security and data privacy, one of which is that the regulations have forced companies to take a more holistic, collaborative approach to security.
"The result is the C-suite is now intimately involved in how their organization's data is managed and protected," says Karen Schuler, national leader of BDO's information governance and privacy practice. "Companies that didn't have a CISO have since hired them. Most now have a dedicated incident response team, or they've outsourced the role. Of course, these were all best practices pre-GDPR; now there's just some teeth behind them."
For security professionals, one of the most important benefits to come from GDPR is the heightened visibility and importance of security teams within the organization. "Security and privacy by design is now a board-level discussion," Schuler says. "GDPR has essentially lit a fire under organizations to update their security posture."
Even the initial passage of the regulations sparked action in companies. Before GDPR went into effect, organizations started increasing investment in incident response processes, many of which were outdated and lacking basic capabilities. Incident response program review led many companies to also invest in intrusion detection systems.
Though that initial spike in investment has scaled back over the past few years, Schuler says security teams are in maintenance and enforcement mode. "Security dollars today are going toward employee training and testing," she says. "We've also seen a big uptick in service level agreements for patch management."
Not All Unicorns and Rainbows
Although GDPR has had positive effects, the regulations have had some unintended consequences, too.
According to the "2019 Domain Fraud Report" published by Proofpoint, malicious actors have discovered an unintended benefit of the right to privacy extended to consumers: The ability to remain anonymous also allows cybercriminals to go unidentified, and many of them are creating and registering for fraudulent domains using the same top-level domains (TDLs) as legitimate brands.
Unfortunately, consumer privacy has also enhanced the privacy of criminals. In addition, protecting privacy has in many ways become somewhat of a competing budget line for security spend, says Steve Armstrong, regional director at Bitglass.
Organizations report seeing a diversion of funds from security programs into complying with GDPR, according to Armstrong. This has stagnated the spending needed for the innovations required to continue to mitigate against threat actors.
"The focal change to user privacy has definitely meant organizations have reduced spending on proactive security plans not directly linked to GDPR," Armstrong says. "It's paradoxical for many organizations to reduce spending on specific cyber programs to focus on mapping data and applying controls for there to only be a breach in the wake of them changing focus."
The implementation of GDPR has also changed how organizations allocate their internal resources to focus more on compliance, says Stephan Chenette, CTO and co-founder of AttackIQ. This has impacted the budgets for not just the risk and audit teams, but engineering and IT efforts as well.
A common GDPR theme is that the more mature organizations have likely taken the time to build "privacy by design" into their risk structure, having found the right people to develop appropriate privacy processes, procedures, and linkages," says Tom Garrubba, senior director and CISO at The Santa Fe Group.
"Those companies are able to track all points of their customer data internally and externally," he says. "However, this causes headaches for many of these companies as they are now afraid of sharing any customer data externally and even internally."
Some organizations have been holding out on GDPR — having done nothing, very little, or are taking their time to be in compliance — in large part because they have yet to see any fines associated with a privacy breach. In fact, the Integris survey found that 10% of organizations said they have only taken inventory of personal data and where it resides if they were audited or in reaction to an event like GDPR.
"Until they see actual fines being levied upon ‘like' organizations, they're not going to spend the time and effort to comply with GDPR," Garrubba says.
A Look Ahead
The looming California Consumer Privacy Act (CCPA) is a concern for every US organization.
"Companies trying to integrate their GDPR program with CCPA may be surprised to find there isn't significant overlap between the two, though philosophically they're both focused on individual rights," Schuler says. "A critical distinction is that the CCPA forbids the selling of consumer data. It also doesn't distinguish between automated and human processing, so many organizations will need to revisit their access controls."
In addition, one area of the GDPR remains a pain point for many companies: The data registry requirement in Article 30, which requires companies process personal data to maintain a record of their processing activities. However, many organizations are still working through the process of finding all of their data. As a result, Schuler says it has become increasingly important for security teams to be actively involved in data classification.
"The biggest challenge now is finding the delta between the GDPR and other international privacy laws, like Brazil's LGPD and Canada's Personal Information Protection and Electronic Documents Act [PIPEDA]," Schuler says.