GDPR is in effect, and hopefully most companies that needed to have made the transition (or are on a good faith mission to do so). Now what?
As many security experts have said, GDPR isn’t an ending point; it’s a beginning, a stepping stone to improve the way we protect privacy and data. The what now is that we have a long way to go.
Sagi Leizerov, chief of data solutions at Prifender, believes that despite the two-year build up to the May 25 deadline, many companies are actually far from achieving true compliance with data privacy regulations. In fact, he thinks most companies have now drafted the necessary policies and procedures, what he calls ‘paper compliance.’ While they may have the basics in place, companies aren’t doing enough to achieve operational compliance, the higher standard set by GDPR.
“Achieving operational compliance requires adopting new technology to make sense of the terabytes and petabytes of data that companies are processing,” Leizerov said. “But selecting and adopting new technology will take time, from conducting proof-of-concept exercises, obtaining stakeholder buy-in, getting the budget, customizing the tool, implementing the solution, and then testing it.”
Improving Your Network Ecosystem
Investing in and adopting new technology will also be a lot cheaper than paying the fines you can incur for a data breach. Having an end-to-end security solution that includes hardware roots of trust offers the only data protection assurance that similarly priced software solutions are unable to achieve, according to Dan Turissini, CTO with SPYRUS. “Each component in your ecosystem can be managed with enterprise-driven policy that enforces data protection controls, removing the ability for users and administrators to 'work-around' data protection security controls, maliciously or in error,” he added.
Turissini advised that your ecosystem in the GDPR environment should include the following:
- Operating system bootable live drives, hardware encrypted devices, and Trusted Flash® ensure, at the highest levels, protection of data at rest;
- Embedded Hardware Security Modules (HSMs) with smartcard and PKI support ensures, at the highest levels of protection, that only authorized users and/ or devices obtain data access and protect data in motion;
- Secure identity-based encrypted data sharing and storage applications, leveraging a hardware root of trust to ensure, at the highest levels of protection, that data sharing is only allowed between authorized personnel on authorized devices; and,
- The on-premise or hosted enterprise HSM management, auditability, accountability and control of the enterprises Hardware Roots of Trust, electronically enforcing enterprise controls.
It All Comes Down to Data Storage
As organizations rushed to meet the May 25 deadline, they were forced to take a closer look at the data they stored. That’s not going to change. Understanding data and knowing when and what should be stored is going to be the most important aspect of GDPR – and possibly other privacy regulations elsewhere – going forward.
Alastair Johnson, the CEO and founder of Nuggets, an e-commerce payments and ID platform, recommended that the best way to think about data storage is to go minimal. “Databases with sensitive information should only be accessed by those who absolutely need to,” he said.
Of course, what should be done and what is done are two different things entirely, which is why Johnson added that organizations need to be as transparent as possible about data storage. Customers should be told what information is being stored and why it needs to be stored.
“With decentralized ledgers and zero-knowledge storage, companies don’t actually need to keep user data on their systems,” Johnson said. “From a liability standpoint, businesses can rest easy knowing that, even in the event of a data breach, there’s no customer data that can be compromised (and thus, no penalties arising under GDPR).”
Some companies may think that encryption will be their saving grace, but Ameesh Divatia, co-founder and CEO of Baffle, explained that organizations need a better understanding of decrypting data and how that meets security and privacy standards.
“We need to separate the notion that accessing data and decrypting data are synonymous,” Divatia said. “Today’s outdated technical practices almost universally decrypt data in order for employees to use it. Simply put, the data is put in the clear (unencrypted) at the point of greatest vulnerability and error: when humans touch and use it.” Here, data analytics could be the solution to bypass outdated encryption methods.
It's Not Just about You
Go ahead, give yourself a pat on the back if you met the deadline and you think you have your GDPR compliance plan and processes in good order. You deserve it because this was not an easy process.
But data privacy isn’t just about what you’re doing internally. How have your vendors, consultants, and other third parties with access to your network done in their own GDPR quest?
“Most organizations have been so focused on their own GDPR preparedness, that they may have overlooked how their vendor's compliance is affecting their program,” said Jen Brown, compliance and data protection officer at Sumo Logic. “Under GDPR, your organization will be held more accountable than ever for the data flowing across your systems, so it’s crucial you can pinpoint the various partners and vendors that have access to it as well.”
Brown recommended that companies create a Data Processing Addendum (DPA) to address concerns involving third parties. This document doesn’t have to be complicated, but is a signed contract to affirm that third parties are actively meeting GDPR compliances. It is designed to show consumers that data privacy is met by all who may have access to their information.
“The biggest takeaway of GDPR is that collectively, it is all of our responsibility to be more diligent than ever about holding companies — and ourselves — accountable for how customer data is being used,” said Brown. “In today’s digital world, we can’t afford not to do this.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba