The state of GDPR in 2022: why so many organizations are still struggling

Today marks the fourth anniversary of the EU General Data Protection Regulation (GDPR), which originally came into force in May 2018 and forced organizations to rethink the way they collect and store data from EU data subjects.

The GDPR gave consumers the right to be forgotten, while obliging private companies to obtain consent from data subjects to store their data and prepare to delete their information upon request.

But even years after the legislation came into force, many companies are struggling to maintain regulatory compliance while European regulators move to stricter enforcement action.

For example, Facebook is still struggling to comply with GDPR, as Motherboard recently discovered a leaked document that revealed the organization doesn’t know where all of its user data goes or how it’s processed.

Of course, the challenge of GDPR compliance isn’t just limited to Facebook. In fact, Amazon, WhatsApp and Google all had to pay nine-figure fines to European data protection authorities.

But why are so many organizations not complying with the regulation? The answer is complexity.

Why GDPR compliance is an uphill battle

The widespread movement of enterprises towards cloud services in recent years has increased complexity on all sides. Businesses use applications that store and process customer data in the cloud and often don’t have the visibility to protect those resources.

“Companies have done a lot of work to bring their systems and processes in line with the GDPR, but it is an ongoing exercise. As regulations change, so does technology,” said Steve Bakewell, Managing Director EMEA at penetration testing provider NetSPI.

“For example, the increasing use of cloud services has resulted in more data, including personal data, being collected, stored and processed in the cloud,” Bakewell said.

With more data being stored and processed across native, hybrid and multi-cloud environments, organizations need to secure and keep transparent exponentially more data beyond perimeter defenses and traditional network monitoring.

Organizations like Facebook, which cannot determine exactly where personal data resides in a cloud environment or how it is processed, inevitably violate the regulation because they cannot secure customer data or remove the data of individuals who have given their consent .

Maintaining GDPR compliance in 2022 and beyond

While the GDPR mandates excellence in data processing in the cloud age, there are some strategies organizations can employ to make compliance more manageable. The first step for organizations is to identify where sensitive data is stored, how it is processed, and what controls or procedures are in place to protect or, if necessary, delete it.

Bakewell recommends organizations “understand and implement both privacy and security requirements in systems that process the data, and then conduct appropriate testing across all systems, on-premises, cloud, operational technology, and even physical, to validate that controls are effective and risks are properly managed. ”

Of course, determining how data is being used in the environment is easier said than done, especially when it comes to identity data as the number of digital identities that businesses are storing increases.

“Organizations have spread their identity data across multiple sources, and this spread of identity results in overlapping, conflicting, or inaccessible data sources. When identity data isn’t properly managed, it becomes impossible for IT teams to create accurate and complete user profiles,” said Chad McDonald, chief of staff and CISO at data fabric solution provider Radiant Logic.

When organizations fail to keep identity data accurate and to a minimum, they risk penalties for non-compliance.

To address this challenge, McDonald recommends organizations use an identity data fabric solution to unify data subjects’ disparate identity data into a single global profile. This allows data security teams to have a more comprehensive view of user identity data in the environment and the controls in place to limit user access.

Looking beyond GDPR: the next wave of data protection regulations

One of the most challenging aspects of the GDPR legacy is that it has sparked a global movement of privacy regulations, with countries and jurisdictions around the world implementing their own local and international privacy mandates that impose new controls on organizations.

For example, in the US alone California, Colorado, Connecticut, Virginia and Utah have all begun to enact their own privacy or data protection laws, the most well known of which is the California Consumer Privacy Act (CCPA).

The US is not alone in implementing new data protection frameworks, with China creating the Personal Data Protection Act (PIPL), South Africa the Personal Data Protection Act (POPI) and Brazil the General Data Protection Act (LGPD).

With regulatory complexity mounting on all sides, GDPR compliance is not enough for businesses to avoid data breaches. They must comply with any regulations they are subject to.

For example, while the GDPR allows personal data to be transferred across borders as long as it is adequately protected, the PIPL does not. As a result, companies doing business in Europe and China would need to implement a single set of controls compatible with both.

While the GDPR states that you simply need to have a legal ground to collect the personal data of EU data subjects, the CCPA requires that you enable users to opt-out of personal data.

The writing on the wall is that without an effective meta-compliance strategy, companies cannot hope to keep up with these regulatory changes.

In practice, this means implementing controls and policies aimed at reducing regulatory density and working towards simultaneous compliance with multiple regulations, rather than taking a regulatory approach to compliance.