Security Experts:

Connect with us

Hi, what are you looking for?



Rethinking Toxic Data in Light of GDPR

Toxic data is sensitive information that you would rather not retain, but must for the sake of business operations.

Toxic data is sensitive information that you would rather not retain, but must for the sake of business operations.

Like chemicals used in manufacturing, toxic data is a necessary ingredient for a desired outcome. Yet it must be handled in a way that eliminates unintended exposure.

Some define toxic data as information that has already been lost and caused damage to the organization that was responsible for it. Examples include the loss of credit card information by a retail organization, illegal downloads of a motion picture, or theft of proprietary designs from a manufacturer. Others have warned that “calling data a ‘toxic asset’ sensationalizes the data security conversation into alarmist territory.”

The purpose of defining data as toxic is to call attention to the need to enhance the data protection around it. So the idea that the data isn’t toxic until it is lost is an inadequate way of categorizing it. While the word “toxic” has an alarmist bend to it, the evolving regulatory landscape provides a new reason to be alarmed.

The European Union General Data Protection Regulation (GDPR)

GDPR  Compliance

GDPR is a regulation intended to strengthen and unify data protection for individuals within the European Union (EU). It addresses export of personal data outside the EU in an effort to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulations within the EU. It was adopted on April 27, 2016 and enters into application May 25, 2018 following a two-year transition period.

At this point, you might be tempted to click away thinking that GDPR is irrelevant to a North American (or UK – thanks, Brexit) audience. But this regulation, similar to many US regulations, has far broader impact than the constituents of the enacting jurisdiction.

If your organization has offices or employees in the EU, sells to EU citizens, partners with EU-based organizations, or simply stores personal information of EU citizens, then you must comply with GDPR or you could face fines up to €20,000,000 or 4 percent of annual revenue (whichever is higher) and/or lawsuits from EU citizens.

GDPR increases the toxicity of personal data

According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

Because of the severe penalties that EU regulators are armed with, the storage, protection and user self-service control of personal data needs to undergo a culture change to “data protection by design” rather than a focus on minimal compliance standards.

GDPR requirements specific to the handling of personal data include:

The “right to erasure” or the right to edit personal data stored about oneself.

• Persons must be informed why data is being collected, for how long it will be retained, and how personal data will be protected.

• In some cases, organizations will have to appoint a Data Protection Officer to monitor internal compliance.

• The right of data portability that requires the “data controller” to provide the data to another controller in a structured and commonly used electronic format at the request of a person.

These requirements place a significant amount of power in the hands of users and a significant burden on organizations or data controllers to implement data protection by design.

Dealing with the toxicity

The activities that will be most impacted by GDPR include online retail and marketing. These activities are often underpinned by a Consumer Identity and Access Management (CIAM) system that provides improved customer opt-in for marketing contact, convenient authentication methods, and marketing insights. 

Analyst firm Kuppinger Cole recommends that companies that are currently deriving benefit from CIAM must:

1. Perform a privacy data assessment

2. Create new privacy policies as needed

3. Plan to clean and minimize user data already resident in systems

4. Implement the consent gathering mechanisms within their CIAM solutions

Reducing the amount of personal data (point #3) subject to GDPR is a critical step towards minimizing the amount of risk that GDPR will expose. While the retail and marketing industries are most clearly impacted by GDPR, all online businesses with any customers residing in EU countries should take this critical step toward reducing the amount of personal data that is retained.

All businesses need to evaluate what exposure they have to GDPR and plan for the implementation of controls that will satisfy the requirements as necessary.

Operating a business in the 21st century means that most organizations will not be able to eliminate toxic data entirely. You have less than 14 months from the writing of this article to prepare for the increase in toxicity that GDPR represents.

Related: GDPR Affects Multinational Companies

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...