When the European Union first announced the General Data Protection Regulation (GDPR) huge concerns bubbled for a few years before coming to a head just before 25 May 2018. This near-hysteria was fuelled by the spectre of massive fines, as well as an underlying sense of mystery around how it would affect companies and business processes.
12 months on, however, organisations by-and-large have come to learn that many of the urban myths spread before the GDPR watershed (that regulators would simply scale up fines, for example) have not come to pass. Rather, the consensus has settled in more positive territory; for Citrix's chief digital risk officer, Peter Lefkowitz, GDPR has worked much better as an accountability framework than people had expected.
"For a long time, in Europe, we had national implementing of laws on the [previous] directive, we had filings, we had different permissions to obtain in different places," he tells IT Pro. "The move to a framework where you need to know what data you're collecting, how you're using it, which vendors you're using to oversight, it gets us back to a manageable place.
"What I've been interested to see is that the privacy community and the business community, for all of the effort that went in, have taken to it pretty well. And people are happier with a more standards-based way of proceeding."
Compliance is a process and doesn't happen overnight
Research done since GDPR came into force shows a significant portion of organisations still don't consider themselves to be compliant with the toughest set of data protection laws drafted to date. The Information Commissioner's Office (ICO), meanwhile, has been adamant that it wouldn't seek to punish businesses following an incident provided they have shown willingness and co-operation with the new regulations.
Citrix Synergy 2019: Citrix clings to silver linings following data breach disaster Q&A: Citrix’s privacy chief Peter Lefkowitz talks GDPR compliance at Synergy 2018 General Data Protection Regulation (GDPR)
Certainly, the endeavour to comply isn't just a matter of flicking a switch or ticking a box, rather it's a continuous process that companies would have to remain engaged in for the foreseeable future. Lefkowitz tells IT Pro the most interesting part for Citrix is how GDPR compliance has become part of the company's daily routine and changed its businesses processes.
For example, for all product releases the company now demands the use of a structured privacy tool configured in a particular way. The product manager will fill out a questionnaire with the legal team and respond to queries they ask about the product, such as what it does, who the lead might be, and a series of questions probing subjects around privacy, patents, security, open source, export controls and other factors.
This ongoing GDPR compliance process may manifest in different ways for different businesses and in varying industries too, but by-and-large the altered business practices adhere to the same principles underpinned by the year-old laws.
Downplay the role of privacy at your peril
For all the positives of GDPR that compliant businesses have inadvertently benefitted from, including better protection against data breaches, among the most surprising for Lefkowitz has been the role of privacy in boosting brand value.
"I have learned how important privacy is to our brand; how important it is to our community," he says. "The trust equation there is very important. In a time when privacy is on the front page of the papers every day, our customers want to know that we and other companies that they're dealing with are focused on these issues and managing them well."
This was not a visible issue five years ago, or even three years ago, and GDPR has done that in-part. Of course, this is also possible given the multitude of scandals that have adorned front pages in the last 12 months, from Google to Facebook, lending privacy a heigher level of awareness in the public consciousness.
Just as privacy holds importance, so does security. This is something Citrix has been forced to learn the hard way, following its catastrophic data breach disclosed earlier this year. Hackers accessed 6TB worth of corporate documentation and staff members' personal data after infiltrating the company's systems and lingering for up to six months undetected. As a direct consequence of disclosing this breach, as required under GDPR, the company's share price fell sharply and hasn't quite recovered since.
For what it's worth Lefkowitz, who was closely involved in the response and internal investigation, says Citrix has learnt its lessons and that every employee at the company is more vigilant of security than they were three months ago. Meanwhile, investigations are ongoing and the company has been co-operating with the FBI, although regulatory action may follow a little later down the line.
We're still in the dark over GDPR enforcement
There has been a fluttering of enforcement action in the last year, occasionally stealing headlines. It's inescapable to associate the likes of Google and Facebook either with the large fines that have been levied, or ongoing investigations. The former, for instance, has been hit with the biggest GDPR fine to date, courtesy of French data protection authorities, while the Irish data regulator is running at least ten concurrent investigations into Mark Zuckerberg's social media empire.
But most of the action we've seen, Lefkowitz points out, involves mistakes and bad practices prior to 25 May. Incidentally, on the cusp of GDPR's first anniversary, the Irish regulator announced a fresh probe into Google's practices.
"I don't think we really have a sense yet of what enforcement's going to look like under the GDPR," he continues. "There've been some breaches reported, there have been some incidents that governments have looked into. But we haven't yet seen the big, ugly case that has come out of actions that happened after May of 2018."
This, along with other aspects of the legislation and how it's enforced, may not be clear for at least a year or two. As Lefkowitz puts it: "The ink's not dry on practice under GDPR". These factors include not just the issue of de-identification but the yet-to-be-finalised ePrivacy Regulation, which seems to be in the European Union's equivalent of development hell'.
"There are a number of topics that it's going to take a year or two to shake out. It's going to be interesting to see whether a 100-page law will be adaptable as computing and our interaction with devices and data change. We just don't know the answer to that yet."
