On October 16th, EIF hosted a lunch debate on ‘The impact of GDPR on cybersecurity and on the development of the Internet’ chaired by Peter Kouroumbashev MEP and EIF Member.
MEP Peter Kouroumbashev opened proceedings by reminding guests that, since GDPR went into effect on May 25th citizens’ rights to privacy in the digital age have been reinforced. Moreover, other countries and companies have expressed their interest to use GDPR as a regulatory standard globally, proving that it is a positive example of EU legislation leading at international level.
Göran Marby, ICANN President & CEO shared a few of ICANN’s experiences while working with GDPR. With regards to its WHOIS database, access has been hindered and, due to the way it is defined in the law, ICANN cannot guide any police force, intellectual property or investigative journalists in accessing the necessary data for their investigation. And this is just one of the thousands of databases that they have for which they are trying to overcome these unintended consequences.
Ilias Chantzos, Senior Director EMEA at Symantec and Global CIP and Privacy advisor offered a business and market impact perspective as a result of GDPR. Mr Chantzos started off by pointing out that “It has been expensive: according to IDC, software sales related to GDPR have reached 2.3 bn by 2017 and will reach 3.7 bn US dollars by 2019.” A market has been created and that is easy to see in the way people and company see innovation and offer tools and service around GDPR implementation, governance, law firms, consulting etc. When companies have to comply with GDPR, it’s not just about the security measures, the principle or the breach notice, it is also about the fact that there is need for general good governance and data mapping plays an essential role. Besides being expensive, it has been a good opportunity for an overall clean-up and also to put in place systems that would improve the security posture, giving more flexibility to organisations. In Mr. Chantzos’ opinion, the big challenge with regard to GDPR will be “how to empower the consumers, now that they have this very powerful regulatory framework, with the tools to be able to protect their own privacy seamlessly and effectively”.
The law enforcement perspective on GDPR was brought to the table by Gregory Mounier, Head of Outreach at European Cybercrime Centre at Europol: “the EU has marked the ground with the most robust privacy and data protection regime in the world”. The benefits include the coordination and unification of all data protection approaches in the Member States, the strengthening of the individual’s right to control his data and the obligation of companies to better protect people’s data and to report data breaches within 72 hours, the latter being essential for the law enforcing community. When it comes to unintended consequences, the reporting obligation may lead to negotiations on a potential amount that the hacker might receive from the company in order to not publish the sensitive information. Giving in to the hacker’s extorsion will not only be useless, as the information would be sold anyway on the dark web, but also fuel the cybercrime ecosystem. Moreover, having a timely access to the WHOIS database is absolutely essential for the law enforcement community, and GDPR has created some burdens in this sense.
Steve Purser, Head of Core Operations at ENISA also supported the idea that the General Data Protection Regulation has created a lot of awareness and willingness for people to learn more about & protect data privacy. However, a practical and pragmatic correction needs to be put in place in order to avoid the creation of a highly litigative society. Mr. Purser stated that, in his opinion, the claims according to which GDPR has had a negative impact are false, and reiterated the importance of having people reflecting on what privacy really means: “In information security, context is very important and the GDPR has got people thinking of it. It has made this complexity transparent and it has shown people that we are seeking to develop trust.” There will be an inhibitive effect on the short term caused by the regulation, but GDPR will be a strong enabler, on the long term.