GDPR: One Year On

By Andy Bates

Remember GDPR? This time last year, exactly 25 May, everyone was very animated about GDPR and becoming compliant.

What has happened since then? Are we better for it? We did say at the time: ‘GDPR is not year 2000. It doesn’t end in May 2018­– it really starts then.’

But what has really started? Here are some visible changes:

Personally, I still get many hundreds of unwanted e-mails and calls and, ironically, to our GCA GDPR mailbox, we only get people offering to sell us lists of contacts who definitely want to buy our products (by the way, we don’t sell products).

On the lighter side, in many business interactions, people who previously would have shared data are being very wary and getting the appropriate permissions first. We all know this should have happened since EU data protection was established, but maybe the fear of big fines has finally made people sit up and think.

In the arena of the fight against cybercrime, we have seen that the global WhoIs database (the list of website owners) has removed a lot of data due to GDPR concerns. We understand that lacking such valuable data must have impacted or complicated many open investigations on e-crime activities.

Also, there have been 65,000 reported data breaches in the EU since the effective date of GDPR. This implies that reporting has increased, but we also know that cybercrime in general has increased during this time. So what part of this increase really corresponds to the implementation of GDPR? Hard to tell.

One thing which appears to be the case is that companies are still being impacted by cybercrime. Some have been put out of business by it, especially SMEs that do not have the resilience to cope.

Finally, on the disciplinary side, we have not yet seen the reported €20 million in fines or 4 percent of global turnover impact that hit the headlines as a possibility one year ago.

So, what has GDPR done for us all so far?

Certainly, the bad companies who wrongly use data will continue to do this until they are fined, but it looks like the good companies (many of them, big businesses) have been doing the right thing. GDPR says that you should take reasonable measures, and we are seeing signs of people doing this.

Now the trick is to make sure that doing something reasonable also means that we tackle the underlying issue of cybercrime.

It is great that fewer people are selling data without permission and more people are thinking of the implications of sending data outside their organisations, but what about when the data is simply stolen (by cyberactions)?

To us, at GCA, doing something reasonable means using reliable solutions that do not share your data, many of which are freely available (such as GCA’s). This helps improve  GDPR compliance, and more importantly overall cyber-resilience.

The author, Andy Bates, is the Executive Director of the United Kingdom, Europe, Middle East and Africa for the Global Cyber Alliance. You can follow him on Twitter @andycyberbates or connect with him on LinkedIn.