The EU’s General Data Protection Regulation (GDPR) was implemented a year ago on May 25, 2018. The sweeping data privacy law offers individual users the “right to be forgotten,” requires notification within 72 hours of the discovery of a data breach, and threatens companies with fines of as much as 4 percent of annual revenue or €20 million, whichever is greater, for failing to comply with its requirements.
The response to the regulation has been significant. Immediately following the implementation of GDPR, an Oxford University study found that the number of cookies on news sites set without user consent dropped by 22 percent. And the European Commission reported in January of this year that more than 95,000 complaints had already been filed with Data Protection Authorities (DPAs) under the GDPR.
According to a recent DLA Piper survey, more than 59,000 data breaches were reported to regulators between May 2018 and January 2019, and 91 fines imposed – including €20,000 for failing to hash employee passwords, €80,000 for publishing health data on the Internet, €4,800 for operating an excessively wide-ranging CCTV system, and most prominently, €50 million to Google for misusing personal data for ad targeting.
The DLA Piper report notes that with the exception of the fine imposed on Google, the levels of the fines imposed thus far have been relatively low. “However, we expect that 2019 will see more fines for tens and potentially even hundreds of millions of euros, as regulators deal with the backlog of GDPR data breach notifications,” the report stated.
Despite the slow enforcement ramp-up, Thycotic chief security scientist Joseph Carson told eSecurity Planet that GDPR has already had a positive impact on the information security industry by forcing many companies to evaluate technologies to comply with the law. “Incident response has been one of the areas in which companies have significantly improved,” he said.
eSecurity Planet‘s 2019 State of IT Security survey found that companies’ confidence in their ability to meet compliance requirements is growing, yet compliance remains a big driver of IT security spending, suggesting plenty of room for improvement.
More compliance work to be done
Still, none of this means that corporate approaches to securing data have been fully transformed. A recent Varonis study of 785 organizations and more than 50 billion files found that the average company holds more than 500,000 sensitive files (containing credit card data, health records, or personal information subject to regulations like GDPR, HIPAA and PCI) – of which 17 percent, or more than 85,000 files, are accessible by every employee.
Notably, 53 percent of companies have more than 1,000 sensitive files accessible by every employee, up from 41 percent in 2018.
And despite the GDPR’s “right to be forgotten,” 87 percent of companies have more than 1,000 stale files containing sensitive data and 71 percent have more than 5,000 such files.
Forty percent of companies have more than 1,000 stale but enabled user accounts. “User and service accounts that are inactive and enabled (a.k.a. ‘ghost users’) are targets for penetration and lateral movement,” the report notes.
“The level of sensitive data exposure and oversubscribed access that most organizations are living with should set off alarm bells for corporate boards and shareholders,” Varonis Field CTO Brian Vecci said in a statement.
Similarly, a recent Splunk survey of 1,365 global business managers and IT leaders found that on average, 55 percent of respondents’ data is dark – unquantified and untapped.
California follows suit
Looking ahead, GDPR is just one of a range of data privacy regulations companies need to keep in mind. The next major test for businesses regarding data privacy is the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020.
In this case, history appears to be repeating itself. A recent IAPP/OneTrust survey of 282 organizations found that just 55 percent of companies plan to be ready for CCPA by the implementation date.
And there’s a clear correlation with GDPR compliance – 59 percent of companies with a high level of GDPR compliance expect to be ready by January 1, while none of the companies that report a low level of GDPR compliance expect to be ready for CCPA by the implementation date.
“Our survey targeted a community of well-informed privacy professionals, and even they seem a bit caught off guard by the CCPA,” stated IAPP research director and data protection officer Rita Heimes.
Untangle CTO Timur Kovalev told eSecurity Planet that GDPR has elevated the discourse in the U.S. around how customer data is collected, stored, protected and shared. Still, he said there’s a lot of work left to do for both regulators and the private sector, and he expects calls for regulation surrounding these issues to get even stronger over time.
Most importantly, Kovalev said, regulations shouldn’t be the only reason for protecting sensitive information. “Companies should be proactive in their approach to safeguarding private data, not just for fear of compliance violations, but to build and retain customer trust,” he said.