also stretched human and financial capital of many smaller organizations that didn’t have dedicated staff
to implement proper GDPR policies and documentation. One of the largest beneficiaries of the regulation
has been legal experts who were retained to help companies navigate the vague language of the
regulation.
As the CISO of a global company, I have also felt the impact. From consulting with legal counsel, training
IT staff on how to respond to deletion requests and having conversations with all of our vendors in regard
to their GDPR posture, it has definitely added cycles to our already busy day to day schedules. But we
live in a digital world and the one thing that hackers are after in any attack that is of value is data, whether
it’s exfiltration or ransomware, malicious insiders or a nation state. It’s all about the data and we have to
do better.
The benefits for GDPR have definitely been in favor of the consumer. Eleven states excluding California
have introduced similar legislation and congress has also introduced multiple data privacy bills such as
The Social Medial Privacy and Consumer Rights Act of 2019. I don’t have a crystal ball, but I can pretty
confidently predict that GDPR paved the way for an onslaught of new laws and regulations to govern
data privacy and in the aftermath of all of the Facebook lapses, it’s clear that we are at a tipping point.
Recently, the Georgia Supreme Court ruled that the state has no obligation to protect personal
information. This ruling is a glaring example of the need for Federal laws that will govern data privacy
and protection statutes for consumers and will likely usher in a new wave of legislation.
I have summarized below what I see the immediate pros and cons have been in regard to GDPR:
Pros:
- Increased data privacy and security
- More transparency on how companies collect, use and share data
- States such as California (CCPA) are using the regulation to draft their own data privacy laws
which is a win for the consumer.
Cons:
- Vagueness of the regulation requires companies to hire expensive lawyers and consultants.
- The huge amount of breach notices has overburdened Data Protection Authorities
- Larger companies had to hire/appoint Data Protection Officer
What will the next year bring? I can confidently predict more breaches, more fines and more paperwork.