Phone Number +1-202-802-9399 (US)

ThycoticCentrify is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

EU GDPR two years in: What’s happened so far, and what’s in store for the future?

Written by Joseph Carson

July 21st, 2020

On May 25th, 2020 EU GDPR was 2 years old and it passed with little noise.  I guess that everyone’s been distracted by other events such as the COVID-19 Pandemic which has put the world on pause for the time being, and that includes EU GDPR.

EU GDPR has raised the bar for digital rights, sovereignty, privacy, and security around how EU Citizens’ data is collected and processed.  Personal Identifiable Information (PII) has become extremely valuable—PII is a tangible asset for most technology giants. Their revenue is based on creating a personalized experience for their user base, targeting them with advertisements for so-called free services.

Several countries have already adopted their own versions of EU GDPR along with some USA states.  South Africa’s POPI (Protection of Personal Information) commenced on July 1st, 2020, and CCPA (Californian Consumer Privacy Act) came into effect on January 1st, 2020. It’s likely that more countries will adopt similar regulations to help protect their citizens in a global digital society.

A quick recap on EU GDPR

The EU General Data Protection Regulation was being drafted for several years before it replaced what was previously the European General Data Protection directive from 1995. The idea was to build a consistent foundation across all European Union States so there’s a basic commonality, or consistency, on what happens with data protection and critical infrastructure.

There is a strong focus on ensuring that any nation-state, organization, or company dealing with European citizens’ PII complies with the EU GDPR regulation. Organizations that deal with personal data of European citizens must meet a certain standard. This means data protection, adequate security measures, and privacy by design when there is a data breach or disclosure of information. They are obliged to notify the national authority of the country where they operate within 72 hours of the breach. They also have an obligation (depending on the risk value of the information that’s been compromised, whether low or high) to notify the impacted party without undue delay.  So, now there’s a foundation for accepting responsibility and accountability when it comes to dealing with European citizens’ data.

As a result of this, organizations that collect excessive information are now responsible and accountable and the more information they gather the more responsible and accountable they become. Now, if there’s a breach and it is found that adequate security measures were not in place this could result in significant penalties and fines may be incurred: €20 million or 4% of annual turnover.

My opinion on EU GDPR

I first got involved in the EU GDPR in 2008 right after the major nation-state attack on Estonia. The country fell victim to a massive DDOS and cyber-attack.

Initially, I thought the GDPR was a bad idea—punishing companies for failure to defend against cybercriminals.  It’s like punishing a bank for getting robbed.  But after speaking to one of the European Digital Ministers in 2012 while reviewing several of the early EU GDPR drafts, my mind was changed.

We were talking about cybersecurity and data, but the discussion turned into a chat about international waters.  I was heavily involved in the maritime industry at that time, helping with cybersecurity and digital transformation such as autonomous shipping, automation and cyber resilience. So I was familiar with the challenges.  I came up with a maritime analogy for EU GDPR:  international waters are cyberspace and data is the shipping containers moving from port to port, eventually reaching their final destination.  Data was being considered extremely valuable, especially personal information, and would one day be more valuable than oil.

The EU realized that as data moved through cyberspace it needed a way to protect that data, and in shipping, it is the flag of the vessel that determines which law is imposed on the vessel while in international waters. EU GDPR was a flag on PII data in cyberspace to bound it to law no matter where it travels in cyberspace.  This was at a time when many organizations had experienced major data breaches, most as a result of poor cybersecurity practices. But the victims were not the large organizations that had poorly protected the data. Instead, it was the citizens and users of those internet services that had to deal with the consequences of identity theft, financial fraud, and sensitive personal data that was now publicly available on the internet.

This discussion changed my opinion on EU GDPR. I quickly recognized its importance in a data-centric digital world, as well as the importance of protecting citizens’ PII data and the accountability that organizations must take when in control of this data.  Organizations must treat PII data like they do financial data, or cash in a bank vault. If stolen or compromised it has a significant impact on someone.

EU GDPR is a borderless entity

EU GDPR is not bound by any borders. Any organization dealing with EU citizens’ PII is obliged to comply. This includes services hosted outside of the EU that service EU citizens. Yes, even if you are NOT based in the EU, if you deal with the  PII of EU citizens then EU GDPR applies to you.

If I could make one change to EU GDPR, it would be to separate Personal Information and Personal Identifiable Information into two unique classifications.  My hope is that continuous improvements will be made in future amendments based on the past few years’ experiences.

What has happened so far?

Companies got breached, of course. Data was stolen and the incidents got reported to either the Data Protection Authority (DPA) in the EU or the Information Commissioner’s Office (ICO) in the UK.  In 2018, Facebook got lucky when they were fined by the ICO for serious breaches of the data protection law (the law before EU GDPR took effect.) The fine was only £500,000—the maximum penalty under the old data protection law.  A few other companies also got fined in 2018: a hospital in Portugal for staff abusing privileged access by viewing patient records, and a small business in Austria whose CCTV camera was capturing public space (though this particular incident was successfully appealed in 2020.)

2019 was the year the EU GDPR got serious

Then 2019 arrived. Having completed its introduction phase EU GDPR got serious and companies who got breached got fined big. That year more than 30 major fines were issued with over €400 million in financial penalties. Google was the first company to come under GDPR focus and was fined €50 million for lack of consent and transparency, including preselected opt-in for personalized ads.

Several hospitals, government agencies, and education institutes also attracted fines for poor privileged access management. They either failed to protect personal information with appropriate authentication or stored significant data without proper consent.  British Airways and Marriott, who got breached in 2018 (or at least discovered they had been breached that year) received the largest fines issued to date. British Airways was fined €204 million after 500,000 customers’ records were stolen and Marriott was fined €123 million after it discovered its reservation database had been hacked between 2014 and 2018.

 These are some of the reasons companies got fined under EU GDPR:

  • Not having adequate security protection, such as privileged access management, authentication and multi-factor authentication for accessing personal information
  • Not having appropriate consent for mass collection of personal information, such as having pre-checked opt-in or ignoring opt-out requests
  • Failure to inform DPA within 72 hours of breach discovery

Among the reasons that some companies were fined less: they cooperated more closely with the DPA investigation.

2020 has been a bit of a pause moment

In 2020 the number of EU GDPR fines issued has been much lower than the previous year with approximately nine major fines to date.  COVID-19 has limited the data breach investigations; several fines have been put on hold while the companies are dealing with serious financial challenges, and countries have applied emergency state laws that allow some exceptions to GDPR to be applied.

The impact COVID-19 has had on applying EU GDPR has been considerable, especially when it comes to privacy violations related to contact tracing, health data monitoring, data sharing, and infrared cameras used to track and trace potential COVID-19 victims.  Some governments centralized the data collected while others decided to stay within the EU GDPR regulations and took a decentralized contact tracing approach, supported by both Google and Apple.  The UK attempted their own approach, but it failed and they have now considered switching to the Google and Apple method.

Even though COVID-19 has put a pause on EU GDPR, it will likely restart later in 2020.

Compliance does not make you immune to cyber breaches

Remember, complying with the EU General Data Protection Regulation does not mean you’re 100% protected from cyber-attacks. And it does not prevent you from being hacked. It only makes you evaluate your risk assessment better.

Complying with the General Data Protection Regulations means:

  • you’ve identified what PII from EU citizens you’re collecting or processing
  • you’ve performed the appropriate processes to ensure consent, adequate security, and right to removal
  • you have not collected excessive data
  • you’ve used the data for the appropriate purposes

It means you have accountability over the collection or processing of EU Citizens’ PII.

THE quick EU GDPR Checklist

  1. Are you collecting or processing EU Citizens’ Data?
  2. Are you obtaining and recording Consent?
  3. Have you performed a Data Impact Assessment?
  4. Have you secured access to PII?
  5. Have you implemented Privacy by Design?
  6. Are you prepared to respond to complaints?
  7. Do you require a Data Protection Officer?
  8. Have you implemented an Incident Response Plan?

EU GDPR and the importance of Privileged Access Management (PAM)

As covered in reviewing the major data breaches and GDPR fines to date, one of the critical security controls for adequate security is privileged access management. A comprehensive PAM program ensures that PII is protected, thereby reducing both unauthorized insider abuse and access from external cybercriminals.

But PAM is no longer just about securing privileged accounts within an enterprise vault. Now it’s about the secure use of privileged accounts and secure access to privileged data.  As more companies have adopted privileged account management solutions, they’ve become important enablers of a holistic security solution that has propelled the evolution of PAM.

Privileged access management has become a priority, helping organizations meet ever-growing compliance and security requirements; access control is where many organizations often fail in an audit.  Not only is PAM a must for compliance, but it’s also an important business enabler aiding organizations in solving complex interoperability projects, reducing overprivileged users, and reducing helpdesk costs brought on by constant failed logins or passwords resets.  PAM is now a positive business experience and has helped reduce cyber fatigue.

The Principle of Least Privilege is another important security control for EU GDPR.  Least privilege is intended to prevent “over-privileged access” by users, applications, or services to help reduce the risk of exploitation without impacting productivity or involving the IT help desk.

It’s helpful to think of least privilege by another name—least authority. That’s because it provides only enough authority for an entity to complete the job at hand. The least privilege model can also help curtail costs and increase efficiency.

To learn more about Least Privilege Security download a free copy of my eBook: 
Least Privilege Cybersecurity for Dummies.

Also, listen to Thycotic’s 401 Access Denied Podcast on least privilege cybersecurity:
What the Heck is Least Privilege Security Anyway?

Least Privilege Cybersecurity for Dummies eBook Cover


While GDPR has presented tough challenges for companies it has also forced them to look at the data they are collecting and consider its security. So yes, GDPR has made a positive impact because, while it’s not perfect, it’s made many companies do more to protect the personal data they’ve been entrusted with.

Some aspects of GDPR have introduced challenges like those used by law enforcement and cyber security researchers to make the internet a safer place, however, these are challenges we can overcome while keeping GDPR in place and successful.  In the end, it’s up to us to make the world and the internet a safer, secure place where we do not get abused.

PAM Experts Guide

Take your Privileged Access Management to the Next Level

Free Download: Expert's Guide to Privileged Access Management (PAM) Success


Like this post?

Get our top blog posts delivered to your inbox once a month.