What Have We Learned About GDPR Over The Last Two Years?
In a nutshell – that it misses the point. It’s a bit harsh, but let’s consider the impact.
As a consumer, I am more frustrated than ever by the continuous need to accept conditions to view a website or to give my consent to cookie usage or whatever other ingenious device confronts me to make sure that I am aware that I am signing away my firstborn and my firstborn’s firstborn to be included in the select few have agreed and can make use of the information behind it.
Continuing with my consumer hat on, my attention has been brought to the fact that organizations have my data, and I can request to change that fact, should I choose to do so. But as the adage says, “If it ain’t broken, don’t fix it”. Most of us end up leaving that avenue well alone.
Essentially, most consumers don’t really care that much; GDPR enforcement doesn’t significantly impact their lives. They do mind added efforts, which is the side they see of GDPR.
Thinking as an organization that must be GDPR compliant, there is a huge amount of work. GDPR exists to standardize data protection laws across the EU; any organization that fits the description of “controller” must change their way of thinking to “data protection by design” and “data protection by default”. Organizations need a combination of manual efforts and automation to implement best practices to comply with GDPR. With data “now” protected, organizations need to have a process for reporting breaches, with the assumption being that breaches can’t occur if the data is protected.
Yet there are still breaches. Why?
In some organizations, GDPR has removed the focus from security to compliance. Being compliant does not equal being secure. Having your data secured means that you know what you have and where it is. It means that you can implement appropriate security measures to ensure that you do not leak personal information. Good security means an easier road to compliance.
In summary, GDPR compliance efforts are in danger of taking the budget and resources away from security efforts. And that is where it has missed the point.