The EU's General Data Protection Regulation officially goes into effect in less than a year, but enterprises will need to know more than the impending
The EU’s General Data Protection Regulation officially goes into effect in less than a year, but enterprises will need to know more than the impending deadline and potential monetary penalties to navigate the complexities of GDPR compliance.
The EU GDPR will be enforced starting on May 25, 2018, and noncompliance for protecting personal information of EU residents could result in financial penalties as high as 4% of a company’s annual revenue or 20 million euros — whichever is greater. According to some experts, the most important thing to remember about becoming EU GDPR-compliant is the data being protected under the new regulation represents personal information about actual human beings.
“All too often, people view personal data as just another piece of information that they are working with — a commodity,” said Elizabeth Maxwell, mainframe technical director at Compuware Corp., a mainframe software company headquartered in Detroit. “However, this data represents a real person and should therefore be respected. They need to look at data and develop some empathy for the person to whom it belongs. How would they feel if their data was misused, leading to distress, fraud or reputational damage?”
Patrick McGrath, director of solutions marketing at Commvault, a data protection company headquartered in Tinton Falls, N.J., agreed, saying companies need to protect personal data regardless of whether it’s in their data center or a third-party cloud service.
“Even if breached data was not stored on premises under your direct control, it is still your responsibility to determine whether or not personal information could have been compromised, and if so, to enact notification procedures,” McGrath said. “They are your customers, prospects, donors and employees.”
Jason Rose, senior vice president of marketing at Gigya Inc., a customer identity and access management company headquartered in Mountain View, Calif., suggested EU GDPR may foster relationships both inside and outside the organization.
“GDPR compliance isn’t possible when teams are working in silos. Security professionals need to link arms with marketing, IT and legal because GDPR’s requirement for ‘privacy by design’ demands new approaches to customer relationships,” Rose said. “This includes giving customers complete control over their data, along with clear and concise terms of service that explain how customer data will be used.”
Is GDPR compliance an opportunity or threat?
Complying with a new set of data privacy regulations — especially when a company already faces existing privacy regulations, such as HIPAA, Sarbanes-Oxley or the Payment Card Industry Data Security Standard — may seem like a huge burden, but Lacy Gruen, director at RES Software, a digital workspace company headquartered in Radnor, Pa., said it should be considered an opportunity.
“Complying with the regulation is in fact a high-ROI opportunity,” Gruen said. “Once businesses get their data protection strategy in order, they’ll see that GDPR compliance is a piece of investment that can change the way their organization stores and handles user data for the better. When an organization knows precisely where their data is located, why it’s there and who has access to it, that will not only improve analytics-driven decision-making, but will also strengthen defense against data breaches and other cyber-risks.”
Noting that companies facing GDPR compliance are allocating big budgets for security, Gruen said it’s “a great time to streamline processes and policies for improved efficiency, so IT resources can be redirected to more strategic functions and projects. Regulations change and new legislation continues to pop up, but if an organization takes the right data protection measures now and gets the right tools in place, the benefits will extend well beyond just compliance with GDPR.”
Not all experts were as optimistic about the effects of the EU GDPR, though.
Richard Stiennon, chief strategy officer at Blancco Technology Group, a data security company headquartered in Alpharetta, Ga., worried about the possibility that GDPR compliance could prove to be an obstacle for entering or remaining in European markets for some companies.
“Will the compliance requirements be so onerous that companies, especially technology vendors, ban EU data subjects from their services?” Stiennon said. “Imagine the latest and greatest new thing, like a Skype or Angry Birds app, being developed by a couple of engineers in their garage. They may grow to millions of users in a short time frame while not being in a position to employ a data protection officer, let alone fulfill all the other requirements. So, they may block downloads or activations in the EU, thus restricting access to the latest and greatest thing. Even well-established tech companies could decide that doing business in the EU is not worth the hassle and expense.”
Encryption may hold the key to GDPR compliance
According to several experts, encryption will be an overlooked but key part of preparing for and complying with GDPR.
“Encryption can be your ‘get out of jail free’ card,” said Nigel Hawthorn, EMEA marketing director at Skyhigh Networks, a cloud security company headquartered in Campbell, Calif., both because “it is a clear investment in a technology to aim to reduce the data loss risk (and any fines are based on the investment in risk reduction),” but also because it eases the requirement to inform data subjects — people — whose data has been compromised if that data has been encrypted.
Because GDPR requires that companies incorporate data protection by design and by default, Hawthorn said “internal software engineering teams need to ensure new applications and systems are designed with data protection in mind from the outset. Even though development teams are always looking to deliver fast, data protection cannot be ignored.”
Ameesh Divatia, CEO of Baffle Inc., a cloud-centric encryption company based in Santa Clara, Calif., said the first step for enterprises is to find ways to encrypt data that is “in use” at the application layer; the second step is to “minimize or eliminate access to sensitive data and encryption keys by DBAs [database administrators] and network and storage administrators by allowing all database queries to be executed on encrypted data without increased complexity or significant impacts to performance.”
GDPR compliance: It’s about the data
McGrath advised organizations to avoid exposing themselves to GDPR penalties by taking care to avoid keeping more personal data than is necessary for their business and legal needs.
“As a best practice, we encourage organizations to use archiving policies that identify instances of personal data, delete, encrypt and/or move data to more secure locations that are fully tracked,” McGrath said. “While education is helpful, automation is key. With the rapid adoption of cloud and SaaS [software-as-a-service] application partners, data is becoming further distributed and it demands proper data protection coverage.”
Brian Veccitechnical evangelist at Varonis
Data traceability will also be critical for EU GDPR compliance.
“Security professionals should enforce in their organization true data traceability across data workflows,” said Florian Douetteau, CEO of Dataiku, a data science software company headquartered in New York. “When manipulating derived customer data, each column should contain some sensitivity tagging, and each company should evaluate the risk associated to a piece of data whether it is raw, anonymized or aggregated. In order to achieve this, each pipeline transforming the data must transfer and maintain the metadata associated to those risks.”
Brian Vecci, technical evangelist at insider threat protection vendor Varonis, based in New York, suggested companies should look beyond the bare minimum requirements for protecting data under EU GDPR and consider the bigger picture.
“With GDPR, businesses will be focusing on securing a specific set of data — EU personal information. While this is a great start, the danger is that they are focusing on this small set of data when they have problems across their environment,” Vecci said. “We saw with the recent WannaCry outbreak that it’s not just sensitive files that can do a large amount of damage if attacked or exposed, it’s all files. GDPR legislates a lot of common sense data security, but personal data creeps into all sorts of files, and even non-GDPR forms of data need just as much protection.”
Drew Nielsen, chief trust officer at cloud data protection provider Druva, based in Sunnyvale, Calif., agreed about the need to track down all the data.
“The most overlooked aspect of GDPR that no one is focusing on is to understand an organization’s data attack surface,” Nielsen said. “Since GDPR is all about the data, if an organization does not have a solid handle on all the places that structured and unstructured information is stored — which includes endpoints, servers, SaaS-based cloud applications and databases — there is almost zero chance of complying with GDPR.”