The state of the GDPR in 2022: why so many orgs are still struggling

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Today marks the fourth anniversary of the EU’s General Data Protection Regulation (GDPR), which originally came into effect in May 2018, and forced organizations to rethink the way they collect and store data from EU data subjects. 

The GDPR gave consumers the right to be forgotten, while mandating that private enterprises needed to collect consent from data subjects in order to store their data, and prepare to remove their information upon request. 

However, even years after the legislation went into effect, many organizations are struggling to maintain regulatory compliance while European regulators move toward more stricter enforcement actions. 

For example, Facebook is still having difficulties complying with the GDPR, with Motherboard recently discovering a leaked document revealing that the organization doesn’t know where all of its user data goes or how it’s processed. 

Of course the challenge of GDPR compliance isn’t unique to Facebook. In fact, Amazon, WhatsApp, and Google, have all had to pay 9-figure fines to European data protection authorities. 

But why are so many organizations failing to comply with the regulation? The answer is complexity.

Why GDPR compliance is an uphill battle 

The widespread movement of organizations toward cloud services over the past few years has increased complexity on all sides. Organizations use applications that store and process customer data in the cloud, and often lack the visibility they need to protect these assets. 

“Companies have done a lot of work to bring their systems and processes in line with the GDPR, but it is a continuous exercise. In the same way regulations change, so does technology,” said Steve Bakewell, managing director EMEA of penetration testing provider NetSPI. 

“For example, the increasing uptake in cloud services has resulted in more data, including personal data, being collected, stored and processed in the cloud,” Bakewell said. 

With more data stored and processed in native, hybrid, and multicloud environments, enterprises have exponentially more data to secure and maintain transparency over, that’s beyond the perimeter defenses and oversight of the traditional network. 

Organizations like Facebook that can’t pin down where personal data lives in a cloud environment or how it’s processed inevitably end up violating the regulation, because they can’t secure customer data or remove the data of subjects who’ve given consent. 

Maintaining GDPR compliance in 2022 and beyond 

While the GDPR is mandating data handling excellence in the cloud era, there are some strategies organizations can use to make compliance more manageable. The first step for enterprises is to identify where sensitive data is stored, how it’s processed and what controls or procedures are needed to protect or erase it if necessary. 

Bakewell recommends that organizations “understand and implement both privacy and security requirements in systems handling the data, then test accordingly across all systems, on-prem, cloud, operational technology, and even physical, to validate controls are effective and risks are correctly managed.” 

Of course identifying how data is used in the environment is easier said than done, particularly with regards to identity data with the humber of digital identities businesses store increasing. 

“Organizations have been scattering their identity data across multiple sources and this identity sprawl  results in overlapping, conflicting or inaccessible sources of data. When identity data isn’t properly managed, it becomes impossible for IT teams to build accurate and complete user profiles,” said chief of staff and CISO at identity data fabric solution provider Radiant Logic, Chad McDonald. 

If organizations fail to keep identity data accurate and minimized, they’re at risk of non-compliance penalties. 

To address this challenge, McDonald recommends that enterprises unify the disparate identity data of  data subjects into a single global profile with an Identity Data Fabric solution. This enables data security teams to have a more comprehensive view of user identity data in the environment, and the controls in place to limit user access. 

Looking beyond the GDPR: the next wave of data protection regulations 

One of the most challenging aspects of the GDPR’s legacy is that it’s kickstarted a global movement of data protection regulations, with countries and jurisdictions across the globe implementing their own local and international data privacy mandates, which impose new controls on organizations.  

For example, domestically in the U.S. alone, California, Colorado, Connecticut, Virginia and Utah have all begun producing their own data privacy or data protection acts, the most well-known being the California Consumer Privacy Act (CCPA). 

The U.S. isn’t alone in implementing new data protection frameworks either with China creating the Personal Information Protection Law (PIPL), South Africa creating the Protection of Personal Information Act (POPI) and Brazil creating the General Data Protection Law (LGPD).

With regulatory complexity mounting on all sides, compliance with the GDPR isn’t enough for organizations to avoid data protection violations; they need to be compliant with every regulation they’re exposed to. 

For example, while the GDPR permits the transfer of personal information across borders so long as it’s adequately protected, the PIPL doesn’t. So organizations doing business in Europe and China would need to implement a single set of controls that are compatible with both.  

Similarly, while the GDPR says you merely need to have a legal reason for collecting the personal data of eu data subjects, the CCPA mandates that you enable users to opt out of personal information practices. 

The writing on the wall is that organizations can’t hope to keep up with these regulatory changes without an efficient meta compliance strategy. 

In practice that means implementing controls and policies that are designed to mitigate regulatory sprawl and to work towards compliance with multiple regulations at once, rather than taking a regulator-by-regulator approach to compliance.  

Originally appeared on: TheSpuzz