GDPR, one year later: the response of companies
Twelve months of sanctions and solutions
While waiting for the first official report of the European Commission on the application of the Regulation, numerous studies and analysis have tried to test the transformation underway and the speed at which it is taking place both from the users' side and from that of organizations. For users, for example, a Eurobarometer survey released last May presented interesting percentages on citizens’ degree of awareness on the existence of a new legislation, on national data protection authorities and on the possibility of protecting themselves by changing their social profiles. Thorough knowledge of the protections and changes introduced by the new regulation remain limited. From the organizations’ side, in the summer, the EU Commission reported that the first findings indicate that compliance with the regulation has allowed companies to increase security and find a competitive advantage in the "privacy" factor.
More recently, a study carried out by Check Point Software Technologies that interviewed a thousand CTOs, CIOs, IT managers and security managers of European companies, tested the progress of organizations in the processing of personal data, and reported that already a significant majority of subjects (60% in fact)had accomplished the mission, adding that Italy, France and Germany stand out for the level of compliance with the regulations, while in Spain and the United Kingdom an acceleration is needed. Certainly the overall positive picture does not overshadow the 281 thousand violations (according to statistics collected by the European Data Protection Board) sanctioned by the European Union in the first 12 months after the application of the regulation, nor the Google case, fined with 50 million euros by the French Data Protection Authority (Commission nationale de l'informatique et des libertés) for failure to comply with the obligations set out in the information of users and their consent. Out of all the cases that emerged, three quarters (144 thousand) were originated by complaints, while approximately one third by data breach notifications. 63% of the proceedings against organizations, based on the update released in July, have been completed.
The investment is already bearing fruit
The possibility of being sanctioned is, of course, one of the main reasons for companies to worry about the GPDR, but for IT managers there are also other aspects involved: the adoption of efficient internal processes (which ensure, for example, correct keeping of the register of data processing activities or timely notification of data breaches to the regulators). The need, expressly required by law, to be able to demonstrate compliance with regulators. The ambiguity, according to companies, of the regulation which does not clarify what the "reasonable" level of protection to achieve is. Another relevant factor is the costs of compliance and their return on investment: for companies, as shown by various analysis, the resources employed are already showing benefits in terms of consumer confidence and data security. Total investments were quantified by almost a third of respondents between 42 thousand and 128 thousand pounds, while over a quarter had to spend a higher amount.
Cloud and cybersecurity strategies: what has changed
Considering the technological solutions adopted, the introduction of the Regulation (that aims to protect personal data), has put the use of cloud solutions in the spotlight, which have been mostly encouraged and increased (with the use of public and private infrastructures and through SaaS solutions), but there was a share of companies that abandoned these solutions as a consequence of the European Regulation. Another aspect that was in the spotlight in these first twelve months regarded security strategies. How have the various European organizations modified their security strategies following the regulatory change? In Check Point's “GDPR turns one” research, two thirds of the managers reported that their company has an organic and strategic approach to cybersecurity and that this is a consequence of the new Regulation, but the experts are rather equally divided among those who observe that there has been an acceleration in the political approach to cybersecurity and those who are instead favouring the case-by-case approach.
Services and infrastructures to be qualified: the path of cloud service providers continues
Just as the GDPR has accelerated the race for companies to comply on the processing of personal data, even the providers of advanced digital services and companies present in the Cloud market have their share of work to do. In fact, the European Commission, National Authorities and Data Protection Commissions have pushed for ISO and IEC to develop standards and guidelines to set new standards for "data protection". ISO/IEC 27107:2015 and ISO/IEC 27018:2014, which integrate the well-known ISO/IEC 27001, go exactly in this direction. Companies that provide SaaS, IaaS and PaaS services or who are Cloud Service Providers and intend to propose themselves as qualified suppliers of the Public Administration must update and comply.
It goes without saying that the primary recipients are companies that offer specialized software services and Cloud infrastructures for the Public Administration but also companies who intend to provide their clients with additional guarantees regarding the security and control of processed data can adapt. Compliance with the guidelines is quite demanding but brings important operational advantages: from improving service levels, accessibility, usability and security to greater resilience, scalability and data protection.