Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

GDPR – Improving Data Privacy and Cyber Resilience?

GDPR’s Policy Enforcement Will Likely be Tested on a Broad Scale in 2019

GDPR’s Policy Enforcement Will Likely be Tested on a Broad Scale in 2019

Almost a year ago, the European Union’s General Data Protection Regulation (GDPR) went into effect. The law requires any organization that stores or processes personal information about EU citizens within EU states to comply with GDPR, even if they do not have a business presence within the EU. Organizations that are found to be non-compliant can be fined up to four percent of their annual global turnover or €20 Million (whichever is greater). Many industry experts had high hopes that GDPR would have a positive impact on protecting the privacy rights of EU citizens, while helping businesses strengthen their cyber security posture as an added benefit. Let’s consider whether these expectations have been met.

Due to the sheer volume of data breaches and cyber-attacks that have exposed billions of personal data records over the past several years, legislators in the EU saw the need to enact further privacy protections for its citizens. GDPR aims to harmonize data privacy laws across the region, protect EU citizens’ data, as well as reshape the way organizations approach data privacy. Inherently, GDPR provides consumers with a right to consent to the storage of their data and be able to review their own personal data in terms of how it is being processed. In addition, organizations are required to notify the appropriate national bodies and impacted consumers as soon as possible about a personal data breach to ensure EU citizens can take appropriate measures to prevent their data from being abused.

GDPR in United Kingdom after Brexit

The data that falls under GDPR protection ranges from basic information (e.g., name, address, ID numbers), Web data (e.g., geolocation, IP address, cookie data, RFID tags), health and genetic data, biometric data, racial or ethnic data, and political opinions to sexual orientation. 

Even though GDPR has only been in effect for nine months, regulators across Europe have seen the number of breach notifications ― which are now mandatory for those breaches that likely “result in a risk for the rights and freedoms of individuals” ― surge significantly. According to the DLA Piper GDPR Data Breach Survey: February 2019, over 59,000 personal data breaches were reported to regulators in the first eight months since GDPR went into effect. This doesn’t necessarily mean that more breaches occurred than in the past, but simply reflects the fact that organizations are now mandated to report these breaches, contributing to better transparency. 

Since many data protection authorities have a big backlog of data breach reports, it is not yet clear how organizations are being affected by potential GDPR fines. According to DLA Piper, only 91 reported fines have been imposed in the first eight months. However, not all these fines were related to personal data breaches. The real test case for future GDPR fines will be the well-publicized data breach at British Airways, which exposed more than 550,000 passenger and payment card records. As the airline’s response was well orchestrated, it will be interesting to see the amount of fine that will be levied. Many organizations will likely take the outcome of this case into consideration to model their own strategy.

The Main Pillars of GDPR Compliance

Many organizations are continuing to struggle with GDPR, while regulators continue to adjust their guidance based on new learnings. By implementing the core pillars of GDPR, organizations can assure they meet the mandate’s requirements while strengthening their cyber security posture. GDPR spans four key elements:

Advertisement. Scroll to continue reading.

1. Privacy Information – Obviously, privacy protection is the heart and soul of GDPR. Therefore, organizations need to conduct the following steps:

a. Explore what data is being collected, why, and how it is being processed;

b. Work with the legal team to establish a privacy policy that covers all aspects of GDPR; and

c. Establish mechanisms for customers to opt-in, opt-out, and request to review their data via online forms/tools.

2. Organizational Structure – Under the GDPR mandate, organizations need to designate a data protection officer. In addition to creating this role (if it doesn’t already exist) it is important to train all staff on the details of GDPR and how it applies to their job functions. In this context, it is helpful to establish internal policies on data security, data integrity, and data retention. These documents are commonly requested should the GDPR information commissioner’s office ever investigate a complaint. 

3. Preventive Measures – Many security professionals were hopeful that GDPR would provide budget increases that would allow them to make new investments designed to minimize the risk of a data breach. For example, Gartner raised its forecast of expected spending on IT security and risk management in 2019 to $137 billion. Since 80 percent of all hacking related data breaches involve privileged account compromise, Gartner predicts that Privileged Access Management (PAM) will be the second-fastest growing information security technology segment and among the Top 10 security projects for 2019. 

Because identity has become the new security perimeter and battleground for mitigating cyber-attacks that impersonate legitimate users, investing in Zero Trust Privilege can yield significant benefits. In fact, PAM plays a critical role in helping organizations become and remain compliant with GDPR since it enforces access policies to critical data and provides super admins with complete visibility over each individual privileged user and their sessions, including what they do, when, and how. 

4. Incident Response – Under GDPR, breach notifications are now mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Organizations are also required to notify their customers, “without undue delay” after first becoming aware of a data breach. Organizations must establish proper incident response mechanisms to meet these requirements.

2019 is likely to be the first year that GDPR’s policy enforcement will be tested on a broad scale. For organizations, GDPR represents an opportunity to fine-tune their existing data privacy processes and procedures, as well as align their security strategies with today’s threatscape. One of the leading ways to accomplish the latter involves implementing identity-centric security measures to counter the primary source of breaches ― privileged access abuse.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...