Thales Blog

GDPR Three Years Later

May 25, 2021

Rob Elliss Rob Elliss | Thales CPL VP of Sales - EMEA More About This Author >

May 25, 2021, marks the third anniversary of GDPR – a landmark regulation not only for consumer privacy but for businesses processing and controlling petabytes of personal data day after day.

Benefits through challenging times

Although many a business might have feared that the strict requirements of GDPR might hamper productivity and revenues, GDPR has become a driver for innovation and an enabler of transformation. Over the past three years, the regulation has benefited businesses by:

  • Improving cybersecurity posture through data visibility and protection.
  • Standardizing data protection processes across the EU digital market.
  • Safeguarding brand reputation.
  • Building trust with customers.

In this context, Data Protection Authorities (DPAs) have grown up as trusted agents for businesses willing to comply with GDPR – the jurisdictions issued by the DPAs act as guidelines to help businesses prevent gaps and align their practices with the GDPR requirements. Overall, the biggest benefit of the regulation is that it allowed for customer centric cybersecurity to emerge in the dialogue for protecting privacy rights in the digital era.

Despite the challenges created by the pandemic for balancing data protection and security with online collaboration, it is a common belief that GDPR has stood the test of the health crisis. As the President of the French DPA noted “the year 2020 has put the GDPR to the test, bringing to the fore in the public debate many points of tension likely to shift perceptions and concerns about personal data and privacy”. Even though there are some voices saying that the GDPR is now outdated, the regulation is proved to be a flexible document that allows space for addressing all technological advancements.

It has also provided a regional framework protecting the privacy of more than 455 million citizens across 27 different countries. For businesses and organizations, it’s much easier to manage compliance with mega regulatory regimes. Contrast that to the United States where each of state has its own data protection and privacy regulations.

A far-reaching impact

"The world's cybersecurity regulation gold standard" is more important now than when proclaimed in 2018, due to the escalation of threats against personal data and privacy. State-sponsored bad actors are advancing their adversarial resources and skills, as it is evident by the recent attacks against critical infrastructure and federal agencies. In addition, despite the growing concerns of citizens that technology companies and the commercial sector in general are not doing enough to protect their personal data, business processes and practices threaten our privacy.

This is especially true for the United States, where the absence of a Federal privacy legislation allows government agencies and private businesses to employ questionable practices. That triggered the EU Court of Justice to rule that the EU – US Privacy Shield framework for data transfers across the Atlantic is no longer valid. The Schrems II ruling, as it is known, has created vast implications for thousands of US registered businesses processing and storing data of EU citizens.

The Biden Administration has recognized that this problematic situation is hampering the interests of the US and is willing to act on multiple fronts to create a federal privacy act, aligned with the GDPR. In fact, this trend started with the enactment of the California Consumer Privacy Act (CCPA). Instead of a heterogenic patchwork of disparate state laws, federal privacy legislation would give consumers across the Nation a clearer understanding of their rights, and it would help businesses grasp their specific obligations for achieving compliance.

President Biden recently laid down the gauntlet with an Executive Order to improve the nation’s cybersecurity. It has clear recommendations that will move Federal agencies to the next level when it comes to cybersecurity and puts a focus on protecting data and identities with multi-factor authentication and encryption for data at rest and in motion.

Besides the United States, GDPR has a far-reaching impact across many countries and international organizations. Recently the UN Open-Ended Working Group (OEWG) announced the need for "...a global cybersecurity agreement/treaty..." and that States should “take reasonable steps” so that users can have “confidence in the security of ICT products” and that “the confidentiality of sensitive information should be ensured.” Following Brexit, the United Kingdom GDPR 'replicated' the original GDPR law “word-by-word”, including the penalties and commit to a cybersecurity and privacy alignment with the established policies and practices across the EU.

Data encryption fosters GDPR compliance

Despite these developments, many organizations fail to adequately safeguard the integrity and confidentiality of personal and sensitive data they store and process. As a result, there is a growing concern about the vast amount of stolen unencrypted data being compromised because of data breaches exploiting gaps in data protection. According to a recent report, in the first three quarters of 2020, 2.953 data breaches were reported with a total of 36 billion exposed records.

Organizations should invest in data encryption solutions to protect their data wherever it is – in the cloud, on-premises, or in transit. Data encryption solutions not only help businesses minimize the impact of a data security incident, but also help maintain compliance with a growing number of security and privacy regulations like GDPR.