Happy first birthday, GDPR! So, what have we learned?
The EU’s comprehensive privacy law, General Data Protection Regulation (GDPR), significantly expands the privacy rights granted to individuals. It also places many new obligations on businesses and other organizations that handle personal information.
GDPR Effects — Year One
I sat down with our own Ilkka Turunen, who serves as the Global Head of Solutions Architecture at Sonatype and has been following GDPR closely, to get his take on what’s worked and what hasn’t. According to him, the EU’s law succeeded in raising awareness about data security and privacy. “We’re starting to see an emerging culture of discussion and visibility with GDPR’s reporting requirement,” he noted. GDPR requires disclosure within 72 hours of a data breach.
GDPR is also driving a culture of data traceability. Vendors are establishing processes to comply with the law and looking for leadership. Data provenance is part of a protection process. As Ilkka put it “true change and processes will start to evolve this year. Last year was a race to get started and offer basic compliance.”
GDPR’s implementation offers a glimpse at how the U.S. may enact similar measures. California, for example, voted for the California Privacy Act of 2018 (CA AB-375), a set of standards loosely referred to as “GDPR for America”. Californians are currently debating the particulars, but, by virtue of the state’s economic power, will lead the nation. The law goes into effect in 2020.
Industry Response to GDPR
GDPR’s focus on personal data highlights how software is made and what components are used. Globally, businesses awoke to the reality that open source components are part of their software supply chains.
“Security hasn’t caught up to 21st-century software engineering, so that’s being addressed now,” he said. GDPR put pressure on the industry to rethink, and re-engineer, software security at the start.
Ilkka emphasized that negative publicity is a key motivating factor. No one wants to be part of the next big breach, meaning security is quickly becoming a mainstream priority, he adds.
Simultaneously, a corporate shift is occurring. More software development teams are adopting a DevOps approach to production. This approach, which favors rapid iterations and software releases, produces better software, faster. A consequence is that security must be embedded from the start. A successful, secure design must be automated, repeatable, and scalable.
The DevOps process is shifting corporate culture because teams must collaborate internally. They must also reset expectations about team members. Frequently, the open source community is a trusted development partner.
InfoSec Response to GDPR
GDPR’s greatest early success may be by bringing information security into business, not tech, terms. Now, it is a top priority for C-suite executives.
Highlighting what this means in practice, Ilkka shares that “[GDPR] has driven visibility to the board level, as a contributor to the bottom line. GDPR makes it easier to communicate risk in a way that boards understand increasingly seeing more explicit ‘security re-think’ programs that only comes with top-level, executive sponsorship.
“All businesses are now tech businesses. Security is moving from a compliance activity to a risk mitigator; security is fundamentally transforming the value delivery,” he continued. Ilkka noted that this makes open-source communities and contributions more visible at the board level, too.
“I think the software supply chain and open source components remain the new front line for security. As an industry, we’ve barely scratched the surface [on what needs protection, and anticipating risks].”
While GDPR has brought some of the conversations to the forefront, there is still a lot of work to be done. We will continue to see bigger breaches ahead and further calls for increased software supply chain security.
“Soon we will start to see more in-depth consideration of best practices. ‘Secure by design’ will be the default,” parting words on the topic from Ilkka.