In these waning days of a world without GDPR regulations in effect, I think there is only one thing we are absolutely sure of: Data will never be 100 percent secure.
Case in point is ICANN, the entity that manages the global domain name system. The ICANN organization proposed removing information provided in WHOIS, the system for querying databases. To help domain registrants comply with the GDPR, ICANN would remove registrants’ names, phone numbers and emails. However, ICANN would allow self-certified third parties to request access to the data at the approval of a higher authority.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Privacy experts have opposed the proposal, worrying that malicious actors will pose as anti-abuse professionals to gain access to user data. As privacy expert Angela Gunn told ZDNet:
Privacy and security belong together, but concealing WHOIS information offers a low return for privacy effort. Meanwhile, security researchers, investigators, other site admins, even ordinary citizens will pay dearly for the concealment.
ICANN’s approach is a high-profile example of the challenges all organizations will face in attempts to be GDPR compliant. It may be that as we think our data is going to have all of these levels of protection, our PII could be just as vulnerable under GDPR. I asked Mike Byrnes, senior manager of Identity and Access Management at Entrust Datacard, about PII’s vulnerability risks under GDPR. This is what he told me:
While GDPR does well to advance data privacy and security, it does not provide prescriptive details on how to become compliant, how to protect data and how to secure access to PII. PSD2 takes a far more comprehensive approach to outlining specific security requirements based on defined scenarios. In becoming GDPR compliant, security teams have the option of self-assessing the level of their data protection.
In the past, most organizations would focus on protecting and encrypting data on portable devices. Now, more companies will start to focus on data encryption across the entire organization – but it’s not guaranteed.
Another concern with GDPR is that while organizations have to continue to protect data in the future, they also need to find existing data that wasn’t considered PII before the regulation and make sure it is protected, as PII and GDPR’s definition of personal data are not completely aligned.
What this says to me is there are going to be a lot of mistakes made with GDPR, and those mistakes may add risk to our PII. There’s going to be a learning curve, to be sure. I can’t wait to revisit where GDPR stands this time next year.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba