A lot has been said and written about the GDPR from a multitude of perspectives: analysis of its many articles, projections into the potential impact of the regulation and more than a fair share of dire predictions and claims about how an organization’s GDPR compliance efforts could simply be resolved by investing in product “X”.
Now that May 25, 2018, has come and gone without the world having come to an end or leaving the Internet devoid of interesting content – social media somehow survived however – this is a good time to reflect on why something as dramatic as GDPR was thought to be necessary and provide insight on what organizations still need to be aware of in a GDPR governed digital world.
How did Data Protection become such a big deal?
The short answer? Very slowly and over many years. When the pre-GDPR data protection regulations were first developed, the concept of user data in a digital format was in its infancy. In the mid-1990s, most users were part of closed communities/services like AOL if they were connected at all. And like with any new technology the focus was on what they could do rather than the possible consequences.
But as technology evolved and reliable, high-speed Internet access became more widely available, the range of options and different services continued to grow. Companies like Google, Facebook and others built their whole business model on the collection, analysis and manipulation of user data. All of this accelerated with the introduction of smartphones and the massive adoption of “apps”, liberating the Internet surfer from the confines of their home or work computers.
While all of this was happening on the “plus” side, on the “minus” side the hackers and cybercriminals were waking up to the value of this personal data. Let’s be clear about this, stealing personal information is not new. But given the sheer volume of data, the lack of awareness by the data subject, and the minimal attention to securing the data by companies collecting it were creating a perfect storm that could easily be taken advantage of.
The third aspect of “why GDPR” is that even when there were high profile data breaches, the regulatory consequences for the companies at the heart of the breach were minimal or non-existent. Even though a serious data breach has a tangible cost – both direct, indirect as well as reputational costs – most breached organizations survived the storm and continued with business as usual. Quite simply put, whatever the costs of a data breach, including fines from regulators, there was not enough of an incentive – let’s call it a “stick” – to make a difference. Experiencing a data breach was a calculated and manageable business risk when compared to the value of user data, data that could be used over and over again.
It was in this environment that what we now know as the GDPR was born and it was designed to address all of these issues and raise the question ‘Why is data protection so important?’
By Patrick Grillo – Fortinet