What difference has GDPR really made?

Tamer Odeh, Regional Director at SentinelOne in the Middle East shares his thoughts on the effectiveness of GDPR on its second anniversary.

It’s been two years since the advent of the EU’s groundbreaking GDPR scheme, which was implemented in an attempt to force data collectors to tighten up security over the information they collected on users of their services and to provide more transparency and standardization about exactly what and how they collect data. The GDPR is far from an exercise in toothless bureaucracy, though, with penalties faced by those found to be in breach of the regulations regarded as among the most stringent ever proposed.

With data breaches still a regular occurrence and increasingly among the primary objectives of cyber threat actors, just how successful has the GDPR “stick” of punishing fines been after two years of implementation? Has the “fear of a GDPR fine” changed the landscape of data protection, or merely increased the burden on organizations already struggling to deal with gathering and securing the masses of data needed to drive their businesses forward?

There have been around 340 GDPR fines amounting to a total of around $180 million over the last two years, although two of the largest fines amounting to another $350 million together are still to be confirmed in the coming weeks. That could total up to around half a billion USD before 2020 is done and dusted.

The COVID-19 pandemic has also impacted GDPR. More generally, it is likely that the ongoing trend of “Working from home” will also have some effect on data breaches, and these are likely to increase in the 2nd half of 2020, triggering additional GDPR notifications and responses. The International Association of IT Asset Managers (IATAM) has warned that at-home work due to the COVID-19 pandemic is leading to a spike in data breaches that’s greater than anticipated.

Furthermore, GDPR was supposed to reduce the overall number and severity of data breaches by providing companies with an incentive to avoid being fined. But evidence suggests that the effect was not conclusive or uniform across all member countries since it came into effect.

According to a 2019 report by the Ponemon Institute, the Middle East ranks as the world’s second-highest cost of data breaches, at USD 6 million per breach, leading industry experts to make urgent calls for organizations and their channel partners to revisit their data protection strategies.

Middle East organizations face a wide range of data breach issues – including the world’s highest average number of breached records, at 38,000 per incident, and an average data breach costing $5.97 million, both figures about 50 percent higher than the global average.

The recent DBIR report noted that hackers are specifically looking for credentials and personal data. 58% of attacks resulted in compromised personal data, and 37% of attacks either used or stole user credentials. This spells bad news for organizations since the theft of such data will almost always trigger GDPR notification. Another recent trend is that aggressive ransomware gangs extort enterprise victims not only by denying them access to their corporate data but also by threatening to dump that data in the public domain, again triggering breach notifications and all the subsequent headaches.

It is important to mention that the GDPR redefined privacy as a fundamental right and made our corporate entities stewards of our data. As a result, proper data identification and handling are mandated under GDPR with fines as a severe stick for non-compliance. To measure its success, however, we need to look not so much at the total amount of fines collected, but rather at the mind shift, it has created.

This is not limited to European territories, of course. The regulation has become a model for many national laws outside the EU, including Chile, Japan, Brazil, South Korea, Argentina, Indonesia, and Kenya. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with GDPR. In the UAE, His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE and Ruler of Dubai has enacted a new DIFC Data Protection Law which replaces the DIFC Data Protection Law of 2007. The New DIFC Law is based on GDPR and primarily applies to businesses operating in the Dubai International Financial Centre (DIFC). It came into force on July 1, 2020.

GDPR and similar regulations such as those mentioned above have encouraged organizations to try and prevent or limit the risks of a potential data breach by upgrading and improving their cybersecurity measures, and that can only be a good thing for all.

However, it remains a challenge to many businesses to factor in the cost of non-compliance, when fines can amount to as much as 4% of global annual turnover. For this reason, many businesses operating within the jurisdiction of GDPR or similar regulations have seen fit not only to upgrade their cybersecurity defenses but also to instate a Data Protection Officer to take responsibility for overseeing compliance.

There is no doubt that GDPR has changed the landscape of data collection and protection since May 2018, not just in Europe but across much of the world’s markets. However, despite the penalties, the data breaches keep on rolling, and customer data keeps on being leaked and traded.

To some extent, this can be seen as enterprise still playing catch up on years of poor or neglected data protection practices and legacy security technology. The threat actors are still out there punishing those that have not upgraded the technology they need to secure their clients’ data, and the regulators are out
there punishing those that have not upgraded their data collection procedures and policies. If that tells us anything, it should be that data protection is a fundamental priority of every data collector. If an organization gets punished by the bad guys, it can expect the regulators to be lining up right behind them.