After a year’s countdown, GDPR month is here, and as I write this, the official roll out date, May 25, is only weeks away. We’re at the point where businesses better be ready or taking good-faith measures to be ready or making plans for how they’ll respond to a data privacy incident.
It’s surprising how many companies aren’t ready. A survey by SAS released at the end of April found that only 30 percent of American companies expect to be in full compliance by the deadline.
Why so few? The SAS survey revealed a number of challenges organizations are facing in their efforts to implement GDPR standards, including the 75 percent who are concerned about how GDPR will affect IT operations and the 63 percent who say being in compliance will significantly affect how business is conducted. We know that organizations who do business with the EU now have to re-evaluate the data they collect and store, as well as how they store and share the information. They must also be prepared to report on privacy violations in tighter timeframes than they have in the past. It’s easy to see how the challenges and obstacles build up.
Re-architecting the Network
To become GDPR compliant, some businesses found that a re-architecture of the wide-area network was in store. And, said Mr. Kelly Ahuja, president and CEO of Versa Networks, when connecting to SaaS or public clouds, they must also implement a highly secure infrastructure.
“IT managers considering new technologies like SD-WAN need to evaluate the GDPR compliance impact,” Ahuja said. Specifically, since one benefit of SD-WAN is enhanced visibility and control over applications and policy, your business must know what kind of data the SD-WAN vendor is capturing, as well as knowing where and by whom this data will be stored – by the vendor or in the enterprise? Is it being stored locally or across country boundaries? Can that vendor comply with GDPR to aggregate the data appropriately without loss of functionality and security?
“Not only must IT evaluate how their existing applications and services meet GDPR compliance,” he added, “but as they move to software-defined solutions for their network and security infrastructure – they must contemplate the impact and security of new technologies like SD-WAN.”
Protecting data in transit, one of the challenges of GDPR, is possible, Ahuja pointed out, and with the right architecture, you are able to build on strong encryption by protecting the actual content traversing or being accessed through the WAN. “The right tools can allow businesses to protect the edge against potential attacks which may compromise the data at the edge.”
What Is Compliance Legally?
We talk about compliance all the time, but if a situation ends up as a legal issue, will the courts see compliance the same way IT does? That’s the challenge posed by Matt Walmsley, head of EMEA Marketing at Vectra, who said, “A harsh and little discussed challenge is that until GDPR compliance cases are heard in a court of law that nobody truly knows what compliance really looks like.”
While businesses are making good-faith best efforts to set up data privacy standards, Walmsley added, it’s impossible to yet know the likelihood of the risk of prosecution they could potentially face.
“Factors such as the resource and political will of the local GDPR controlling authority will play a large part in how GDPR is applied in a particular incident,” he said. “Case law examples will go a long way to fixing that, at which point even laggard board of directors will really be taking notice and action.”
Unintended Consequence of Encryption
Encryption is going to be the backbone of GDPR, for data in transit and data at rest, but Walmsley warned the support for encryption of data can have the unintended consequence of providing a hiding place for bad actors to hide.
“Many traditional security tools rely on deep packet inspection, a technique that is blinded by the use of encryption. As such, steps taken to make personal identifiable information harder to read may also make it even harder for organizations to spot attacks playing out inside their systems.”
Using automated threat detection tools, especially powered by AI, will assist in mitigating this particular challenge by focusing instead on identifying threats by the way in which they behave rather than the content or code they use. “In that way, even attacks hiding within encryption can be spotted and remediated, hopefully before they become GDPR reportable breaches,” Walmsley stated.
David Ginsburg, vice president of Marketing at Cavirin, compares the conversation and preparation surrounding GDPR to an experience from nearly 20 years ago – the preparations (and trepidation) for Y2K. As the deadline looms closer, there is a tendency to worry about not meeting deadlines, and in the rush to do so, you’ll take steps that will cost you more money or will end up failing. That’s why Ginsburg reminds you to stop panicking and focus on doing it right the first time, even if you are behind schedule. Take the time to make a thorough assessment and fix any security gaps. It’s also a good time to re-evaluate your cloud environment and rein in any rogue cloud services.
GDPR is putting data protection practices at the forefront of business agendas, and let’s be honest, meeting GDPR compliance is cumbersome and costly. The challenges are part of the transition. Over the summer, we’ll have a clearer picture of how well organizations are meeting those challenges and how they’ll have to shift to meet regulations once we see how GDPR actually works.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba