GDPR, a year later
IT Digital Security includes in its edition the special “GDPR, a year later”; in which, among other professionals, the REALSEC’s CEO, Jesús Rodríguez have participated, of whom we shared his interview.
A year ago, GDPR became the leading force in the standards of data protection for Europe. Million-dollar fines were feared despite not having remarkable headlines on the subject.
Are companies complying with the Regulation?
In the case of Spain, to answer this question with successful criterion, it would be necessary to have some figures that I do not have.
However, for my business relationships with customers and suppliers, I can venture to say that, today, more than 50% of Spanish companies do not meet the GDPR. We speak mainly of small and medium-sized companies and up to a certain extent, the public administrations themselves which by its own condition, should be the first ones to show an example. None the least to mention the uproar regarding the use and treatment of personal data which seem to intend to make political parties to customize their electoral propaganda.
What have we learned from the first year of GDPR?
The first lesson we have learned is that by complying with this new regulation, this new law tends to unease a few and is not of the liking of others either. This is most likely so because there hasn’t been enough sensitizing of the top management of some companies and gorvernment entities about the importance of protecting the privacy of individuals in the field of the current digital age.
The second lesson we have learned is that to carry out the regulatory compliance of the GDPR, it is necessary to have a methodology to facilitate the fulfilment of the GDPR and its follow-up in time. As well as to train and sensitize the people who handle the personal data of importance to use and process the data that follow the standard.
What are the improvements achieved with the GDPR?
From my point of view, the main improvement provided by GDPR is greater awareness of the importance of making appropriate use of personal data and the impact that has non-compliance regarding the violation of the constitutional rights of individuals.
In the digital age, I think it is relevant and important to protect the data of individuals.
Has GDPR boosted the security business as much as it was expected?
The GDPR does not establish the obligation to implement mechanisms or specific security technical measures, but that may be necessary as a result of a risk analysis, which aims to safeguard the confidentiality and integrity of personal data. These measures include the use of the cryptographic techniques as Article 32 establishes it, without limitation.
Regarding this matter, the majority of adapted companies or those who are in the process of adaptation to the GDPR, have invested and invest, only to adopt internal measures or solutions, without excessive enthusiasm, to have a quick solution.
Under this point of view I think the GDPR has not responded to the urge of the security business, in the form in which it was expected.
Has GDPR boosted, as expected, the adoption of encryption techniques?
My answer to this question could be a continuation to the previous question.
Despite the fact that Article 34 of RGPD, determines that, in the event of a breach of personal data, the communication to the subject will not be necessary if the controller has established technical measures such as for example “the encryption”. I think they are very few companies in our country that have adopted such measures.
Apparently, there are many companies that consider that insurances are, only, for the pessimists.
You can read this special in the next link (In Spanish) itds19