Security Experts:

How GDPR is Unintentionally Driving the Next Decade of Technology

Companies, organizations and sometimes even government agencies have been careless with the personal information they have traditionally collected. In their defense, personally identifiable information, sometimes simply called PII, wasn’t historically much of a target for hackers and criminals. Today however, PII is like gold for many attackers because of their ability to leverage things like a person’s name, birthdate, social security number, credit card data or other unique information to commit secondary crimes such as phishing attacks and identity theft.

While information protection laws within the United States have mostly been non-existent, or confined to narrowly defined industries like with the Health Insurance Portability and Accountability Act (HIPAA) in healthcare, the steady drumbeat of constant breaches like the massive data theft at Equifax and the ubiquitous monitoring of consumer behavior have forced Europe to act. 

GDPR FalloutWithin the European Union, this takes the form of the General Data Protection Regulation (GDPR), which holds accountable any company or organization doing business within Europe or with European citizens, requiring protection of any personal data collected. And GDPR has teeth, threatening big fines against any organization that fails to comply with the rules and is later breached. 

GDPR is, at its core, a regulation-based initiative rather than a technology based one. In other words, it does not specify what technology must be used to protect PII, only how and what should be protected. It was never intended to drive a specific technology. Despite this, GDPR will certainly influence the development of information technology over the next decade. While it’s too early to gauge the full effects of GDPR, there are several factors to consider that might help with those predictions.

What is required to comply?

GDPR is solely focused on getting businesses to take reasonable precautions against threats to PII. Some of the elements of compliance according to GDPR are protocols such as capping storage limits for collected data, and not collecting data that isn’t required for the process that is taking place. This is good advice for companies to take even without GDPR. Minimizing data stores, only collecting what is necessary, and only holding it for as long as necessary ensures that even if a breach does occur, that the damage will be lessened. 

Equifax was a poster child for the dangers of holding a large stockpile of sensitive data, with stolen PII on some consumers going back decades. In addition to holding too much data, there was not a single person responsible for data protection, though quite a few executives were allegedly aware of the vulnerabilities. The GDPR aims to prevent this as well, by requiring each business to name a single person to be responsible for data management. This sets up accountability within the company to maintain the integrity of any collected data.

And if there is a breach, consumers must be notified within 72 hours, and provided copies of all potentially compromised data. Here too, having minimized data stores would simplify this process, as well as calm nervous consumers wondering about their level of exposure. 

The big three.

GDPR breaks its requirements down into three major categories. The first is improved security at network endpoints. Endpoint security is often looked at as the first line of defense, but is also often the weakest link. Companies need to move beyond traditional anti-virus and into more substantial protection for these devices, which can be anything from desktops and laptops, to mobile phones, tablets or virtual machines.

The second GDPR requirement is data security. Minimizing data, only collecting what is necessary, encrypting and restricting access, and assigning internal accountability will serve organizations well. Of course, these activities will depend on accurate and up-to-date business processes or data classification programs.

Finally, is access security. Companies need to stress least privilege access where there are no super-administrators, no shared administrator accounts, and business users only receive enough access permission to do their job with specific systems and tools. Many data breaches might begin by attackers compromising an endpoint but almost all data breaches end with attackers compromising administrator accounts. As such, efforts to manage access must include restricting administrator rights to highly sensitive data.

These three categories form the foundation for what is required for compliance with GDPR. One of the best ways for organizations to achieve compliance in all three areas is by streamlining their infrastructure, reducing their data footprint, and assigning a single person or group with responsibility for data security and the power to enforce the new rules. Data and business process discovery can aid this effort by uncovering hidden and redundant repositories of personal data.  

What does this mean for technology over the next decade?

Software developers will design new security products and procedures in response to GDPR. This could include the forced dumping of sensitive information after a required time has elapsed. And, technologies that add transparency to gathering and transferring information processes will be in high demand. In this environment, GDPR will inadvertently mandate new data-centric solutions, as they will help organizations get as close to the ideal level of protection and compliance as possible. Remember that the word compliance includes more than just privacy; eDiscovery, retention, retrieval, archival, and destruction are all data-centric requirements for complying with GDPR.  

The transition into GDPR compliance will not be easy for anyone, though certain groups will likely face steeper climbs. The pharmaceutical and banking industries might have the most trouble, since they collect and historically store the most information. But groups that resist shrinking their data may face another hard truth: becoming better targets compared with those that dump PII as soon as possible, and keep data collection to a minimum. It’s possible that these industries may try to double down in other areas, such as locking down their endpoints. That might work for a time, but organizations that approach GDPR more evenly along all three major categories will have a better time of it.

In the longer-term, GDPR will require companies to become better stewards of their data, including reducing what they gather in the first place, and how long they hold it. Technologies that help with data management, and secure what remains following timed purges, will rapidly advance under the new era of GDPR implementation.

RelatedEmail Leakage - An Overlooked Backdoor to GDPR Failure

view counter
Mike Fleck is VP of Identity Protection at 4IQ. He previously served as VP of Security Covata Limited (ASX: CVT), where he was responsible for managing and directing US operations and brand awareness, credibility, and thought leadership related to data security and privacy. In 2010, he co-founded CipherPoint Software and has since served as its CEO. With nearly 15 years of experience in data security and encryption, Mike holds patents for transparent encryption and automated encryption key management. His experience with complex Fortune 500 and Federal Government environments includes leadership roles at Vormetric (acquired by Thales), High Tower Software (acquired by NetForensics), Predictive Systems, and Lockheed Martin.