Data Protection Laws and Cybersecurity: Mitigating the GDPR Challenge

gdpr data protection law in EU

It looks like data privacy has and will continue to be a topic of hot debate, especially when industry standards and written law regulations require compliance across the board. On May 25, 2018 the GDPR (General Data Protection Regulation), which will replace the EU Data Protection Directive, will go into effect. Banks, and other public and private organizations in Europe are preparing for the changes to come with this updated regulation.

For example, in anticipation of the new regulations, European financial organizations are preparing to lend €4.7 billion to organizations as part of a breach response readiness initiative. But preparing to comply with the GDPR isn’t a task undertaken only by European companies. but any company conducting business in the EU or affecting EU citizens. So what will the GDPR mean for US-based companies? And what will it focus on?

What does the GDPR focus on?

The GDPR will shift how the legalities work when it comes to data use. This means both controllers (the party ensuring the protection of data) and processors (the party who processes the data on behalf of the controller) may be jointly liable for data breaches and other types of unauthorized use of personal data.

Differing from the previous EU Data Protection Directive, the GDPR will also focus on personally identifiable information, or PII. PII is any kind of information that is collected by a business through any means. This includes credit card numbers, Social Security numbers (or similar), birth dates, among various other types of data”. When data is collected by an organization, a decision must be made about the data storage process for PII which may involve assistance from a third party. This further complicates the steps needed to meet all the GDPR requirements.

How will the new GDPR affect US-based companies?

If this private information is leaked or breached in any way or fashion, then organizations must be prepared to face the consequences, and US companies are no exception. In fact, they may even face greater fines if they chose not to play by the rules. Noncompliance fines can range between 2-5% of global turnovers.

Once there is an understanding of where data such as PII resides within an organization, defining where the risks could arise from can become clearer. Because the GDPR stipulates that organizations must take “reasonable” steps to safeguard private information, it means US companies that handle data from European customers must not only keep track of US data regulations but also ensure that they are fully compliant with the GDPR.

What are organizations doing to protect PII?

It’s obvious security management will play a vital role once the GDPR comes into effect. Encryption in particular will play a major role. Encryption ensures that even if data is retrieved, hackers will have no way of decrypting it or making use of it. Besides having their internal systems and data safeguarded, CIOs and CISOs must also ensure that any of the organization’s cloud service providers are also adhering to the GDPR.

With cloud services becoming increasingly popular, organizations using any Infrastructure as a service (IaaS), Software as a service (SaaS), or Security as a service (SECaaS) must ensure data protection follows the guidelines provided by the GDPR. In the SECaaS model, this includes data loss prevention (DLP), network security, vulnerability scanning, and web security, which widens the scope of where data might be processed or stored. The GDPR explicitly mandates that an organization’s network or information system must be able to resist malicious actions that compromise “the integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems.”

For this reason we should expect organizations to start taking cyber security a lot more seriously and begin implementing defenses such as DDoS protection to their networks if they haven’t already. Not only that, but organizations are more likely to invest in high quality security that is reliable and trustworthy — as the last thing these organizations want is to pay huge fines for causing data breaches. A cloud WAF, for example, is responsible for monitoring, filtering, and blocking traffic to and from a web application, especially data exchange involving PII. Because they are also responsible for protecting against data leakage, organizations should only invest in advanced WAFs that filter traffic with high precision.

Currently, Gartner predicts that by the end of 2018, more than 50% of companies that will be affected by the GDPR will not yet be in full compliance with its requirements. This means a grand majority of businesses do not fully understand the impact the GDPR will have on them. The GDPR is not simply about allocating budgets to accommodate privacy and data compliance regulations. It means organizations must remain informed about the current cybersecurity threat landscape. With the GDPR affecting more than just Europe, countries around the world doing business in Europe need to stay informed about the best security and business practices to ensure the protection of a single organization’s most sensitive asset: data.