Security Experts:

GDPR Industry Roundup: One Year to Go

GDPR Roundup: New Products, Surveys and Industry Commentary

Thursday May, 25 2017 commenced the final countdown to the General Data Protection Regulation (GDPR): there is just one year before it comes into force. GDPR imposes complex new personal data protection requirements on any organization doing business in or with the European Union; and it is doubtful if many, or any organization is automatically compliant. The result is a serious challenge for business and a major opportunity for the security industry.

What follows is a roundup of this week's new products, survey and comments on GDPR.

New Products/Services

General Data Protection Regulation (GDPR)

IBM Resilient - "GDPR is ushering in some of the most important changes to European data privacy regulations in twenty years, much of it involving policies and documentation that are difficult to improve with technology. The Resilient Incident Response Platform is designed to help businesses comply with GDPR. It prescribes and can orchestrate people, process and technology in specific responses to data breaches."

Forcepoint: GDPR-focused cloud service extensions - "We see the partnership growing between the CIO and CISO to implement solutions that securely enable the business shift to cloud computing while remaining in compliance with data privacy laws such as GDPR."

Wombat Security: new GDPR training module - "Within this module, end users will learn why they need to be active participants in overall GDPR compliance; how to make the right decisions about the data they create and handle; and what the consequences of non-compliance are for your organization."

New Surveys/Reports

Varonis: One Year Out: Views on GDPR  - "What's most worrying about the findings is that one in four organizations doesn't have a handle on where its sensitive data resides.   These companies are likely to have a nasty wake-up call in one year's time.  If they don't have this fundamental insight into where sensitive data sits within their organizations and who can and is accessing it, then their chances of getting to first base with the regulations are miniscule and they are putting themselves firmly at the front of the queue for fines."

Kaspersky Lab: The IT department's GDPR journey towards good data health - "With less than a year to go, firms are in various stages of compliance preparation. But the regulation doesn't have to be a burden on one department alone. Every function in a business – from marketing to legal – has its role to play. Now is the time for IT departments to help them all on a journey towards good data health."

Blancco Technology Group: EU GDPR: Countdown to Compliance - "If an organization cannot find their customers' data, how will they be capable of erasing the data and complying with the EU GDPR's requirement? Once they do finally locate their customers' data, the next step is erasing the data permanently so that it can never be recovered. But as our study reveals, it's quite common for organizations to use insecure and unreliable data removal methods, such as basic deletion and free data wiping software, which further undermines their security and compliance to EU GDPR."

Guidance Software survey - "Only 15.7% of companies surveyed are in advance planning for GDPR, while 24% of organizations say they will not be ready by the May 2018 deadline."

Trend Micro: WannaCry Highlights Major Security Shortcomings Ahead of GDPR D-Day - "The unpalatable truth is that many of those organizations caught out by WannaCry earlier this month could face punitive fines if the same kind of thing happens again in a year's time... because an official Microsoft patch was available for weeks before the attack, the victim organizations could be said to have failed to take adequate security measures given the evident risks. Even virtual patching technologies exist to protect unpatched or unsupported systems."

 Industry Commentary

Dr Jamie Graves, CEO at ZoneFox:

"The starting gun has officially been fired and one thing is for sure: from day one, the EU will not be accepting excuses. They believe organizations have had more than enough time to prepare. Those companies that haven't started to unravel what GDPR means for them need to get proactive. GDPR is all about data, and that's where companies need to start. It is imperative that they have a full, 360-degree view of data entering, leaving and being stored within their business. This visibility can then be used as a foundation to assess and restructure processes in order to ensure compliance. Although complicated, GDPR also presents companies with an opportunity. With data breaches becoming increasingly common and personal, by being compliant companies can demonstrate their commitment to data security and privacy. Afterall it's not just money companies have to lose – their reputations are also on the line."

Richard Stiennon, chief strategy officer, Blancco Technology Group

On day one of when the law goes into effect (May 25, 2018), a company can be held liable and subject to the fines, which are not specifically enforced for breaches, but for being out of compliance with the various requirements, including failure to appoint a DPO, failure to adhere to the 'right to be forgotten,' failure to notify the Supervisory Authorities of a data breach within 72 hours, to name a few."

Black Duck Software

"If your organization needs to comply with the General Data Protection Regulation, you'll need to examine the software eco-system you're using and include open source identification and management in your GDPR security program. As well as examining custom source code for vulnerabilities, ensure that the open source you or your vendor companies use is not introducing hidden security vulnerabilities."

Jason Hart, CTO, data protection at Gemalto

"Up until the 25th May 2018, EU businesses will be able to get away with keeping breaches from their customers, but this will change as the focus will be on protecting data going forward. Time is running out for businesses to get their house in order before GDPR comes into effect. Once that happens, we'll start to see the true picture of data breaches within Europe and the impact that will have on the reputation of a multitude of businesses. Companies need to realize that being breached is an inevitability and customers will not put up with those that can't protect their data. In order to be compliant, business must follow the six-step process outlined in the legislation."

Ross Brewer, vice president and managing director at LogRhythm

"With only 72 hours to notify authorities and, in some cases those affected, companies will be under greater amounts of pressure to have full insight into the scope and scale of an attack as soon as it's been identified. Time will be of the essence and it will be essential for organizations to have an accurate idea of the 'who', 'what', 'how' and 'how big' within those three days... businesses will require a more coordinated and efficient approach to threat detection that goes far beyond simply deploying firewalls or anti-virus. Having an end-to-end threat lifecycle management process that gives businesses the insight and full facts of a compromise from the offset will be vital, and businesses need to make sure they are adapting their strategies now so that they are fully prepared this time next year."

Richard Henderson, global security strategist, Absolute

"To describe the new rules as an update or a refinement in the data protection regime is not accurate – this is not a fine-tuning of the law. A far more fundamental change is taking place. Under EU GDPR, businesses will not be able to get away without having complete visibility into endpoint assets at all times so they can identify suspicious activity and take action – whether a device is connected to the corporate network or not. In this hyper-connected world, businesses cannot afford devices to 'go dark.' They need to maintain a constant connection, and have the ability to remotely control data stored on endpoint devices to stop them becoming the gateway to a damaging breach, and subsequently protecting themselves from the repercussions of lax security."

Richard Lack, managing director EMEA, Gigya

"GDPR, love it or hate it, is the EU's attempt to put consumers back in control of their online data and compel businesses to keep that data safe from hackers. No more obscure service agreements that we all accept with a single click and never read. Consumers know they're being mistreated and aren't happy about it; a recent survey by Gigya found 68 per cent of consumers don't trust brands to respect their privacy. How many will accept the terms to give away their data, given they have no obligation to do so? My prediction is zero... Businesses must, therefore, ensure that they have compliant systems in place to prevent a mass consumer 'opt-out' when the new regulations are enforced or even worse, face hefty penalties for non-compliance, with fines as large as four per cent of annual revenue."

Gerard Allison, VP of EMEA at Gigamon

"While EU GDPR is a positive step forwards in data protection, organizations need to be aware of new ways cyber criminals could take advantage of the situation. Ransomware is a popular tool for hackers yet this tactic could evolve into a different, more dangerous beast. Let's say for instance a hacker successfully breaches a network, but the business doesn't have the tools in place to detect the breach or simply doesn't report it. The hacker could threaten to report the organization to the ICO for non-compliance unless they paid them. Is it likely that a business would rather pay for a hacker's silence than pay eye watering fines for being non-compliant?"

Mike Palmer, executive vice president and chief product officer, Veritas

"In order to achieve compliance, the biggest challenge for many organizations globally is understanding what data resides in their complex IT environments, how to protect it and delete it from the network when requested or it's no longer needed. According to Veritas research, 32 per cent of organizations globally do not have the right technology in place to cope with GDPR. With one year to go, organizations should look to establish a clearly-defined governance strategy with data management tools at the core... The clock is ticking and it's not just fines that are at stake, but jobs, brand reputation and the livelihood of businesses globally."

Legal Comments

Callington Chambers

"The General Data Protection Regulation ("GDPR") is the biggest reform of data protection legislation in the last two decades. When it comes into effect on 25 May 2018, in addition to applying to businesses within the EU, the GDPR will also affect any businesses outside the EU that offer products or services to EU customers or monitors EU citizens."

Pillsbury Winthrop Shaw Pittman LLP

"These new laws will significantly impact any companies doing business in Europe, even those without a physical EU presence (e.g. U.S. companies targeting Europe). If you have a website, use customer or staff data or engage in almost any form of marketing you will likely be caught. The new very high fine levels for breaches and the need to be able to prove compliance mean companies, regardless of size, must take steps now to prepare."

Article 29 Working Party

The European regulators have published a series of guidelines on data portability, data processing officers, and supervisory authorities; and a draft guideline on impact assessments.

DLA Piper LLP - "The aim is to be compliant by 25 May 2018 but this may be challenging so it is sensible to focus on the most important and risky areas first."

Ashfords LLP - "The GDPR is an opportunity to streamline data protection practices and should enable organizations to strip back data which is inaccurate, out of date or irrelevant."

Squire Patton Boggs

"[GDPR] is aimed primarily at commercial progressing of customer data but still has significant ramifications for HR's handling of employee data... and the new law will represent fertile ground for employees looking to blow the whistle on something. The numbers being waved around as possible fines are enormous, but even though we think they will be the tiny exception rather than the rule, this isn't an area for HR to treat casually."

Kingsley Napley

Referencing the UK's NHS and WannaCrypt, many victims were probably in breach of existing data protection regulations by using unsupported or unpatched Windows systems. "The EU General Data Protection Regulation (the 'Regulation') coming into effect on 25 May 2018, which replaces the DPA largely repeats the security principles set out in the DPA. However, the GDPR enforces a much tougher and stricter regime, with more severe penalties for data breaches."

Squire Patton Boggs

Subject access requests (SARs) from employee to employer are complex. "Breach of the right to access personal data falls under a 'top tier' breach carrying a fine of up to €20million or 4% of global turnover (whichever is higher), but it is self-evident that the sort of ordinary slips which employers make in responding to SARs from employees will not get within a hundred miles of this sort of number. Factors that could aggravate the situation are listed under the GDPR to include the intentional or negligent character of the infringement, any previous infringements, any losses or damage to the data subject. The examples of mitigating factors listed, on the other hand, are any actions taken by the controller to mitigate the damage suffered by data subjects and the degree of cooperation with the supervisory authority."

Osborne Clarke

Profiling: "The interpretation of Article 22 is imperative. Defined broadly, it will place significant burdens on organizations undertaking profiling for advertising and marketing purposes; defined narrowly, there is less cause for concern. We can expect guidance from the Article 29 Working Party later this year. In due course, we might also expect a common standard for measuring the effects of profiling.


In any case, with a year to go, organizations should be reviewing their profiling activities in light of the GDPR, and ensuring that they are taking the necessary steps to ensure compliance from (no later than) 25 May 2018."

Squire Patton Boggs

"A good way to get started on these tasks is to first educate and obtain C-level buy-in. While the possible sanctions are a strong motivator, it is important that your organization understands that GDPR compliance will add value by ensuring better data management. Once buy-in is secured, you should create a GDPR Core Group consisting of key stakeholders from major departments in your organization. Your GDPR Core Group will be essential in driving these tasks to completion."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.