On 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect. The law requires any organisation that stores or processes personal information about EU citizens, within EU states, to comply with GDPR, even if they do not have a business presence within the EU.
Organisations that do not follow GDPR regulation can be fined up to 4 per cent of their annual global turnover or €20 million (whichever is greater). GDPR aimed to harmonise data privacy laws, protect the privacy rights of EU citizens, reshape the way organisations approach data and at the same time allow businesses to strengthen their cybersecurity posture.
A full year later, businesses and organisations across Europe have seen the number of breach notifications surge significantly. According to the DLA Piper GDPR Data Breach Survey: February 2019, over 59,000 personal data breaches were reported to regulators in the first eight months since GDPR went into effect. This doesn’t necessarily mean that more breaches occurred than in the past, but simply reflects the fact that organisations are now mandated to report the breaches that likely ‘result in a risk for the rights and freedoms of individuals’.
This is often a good thing as it means that EU organisations are more transparent with regard to the cyber threats that they face, at the same time giving consumers full disclosure if their private information has been breached. It also gives regulators the opportunity to investigate and better understand the causes of breaches, ultimately allowing them to work on more effective solutions.
The only real drawback to the full disclosure mandate that comes with GDPR regulation is the steady stream of stories that is now being fed to the media, leading to a lot of negative press for many companies. A key example of this is when Travelodge, the hotel chain, found itself at the centre of a media storm after a third-party company that manages its customer surveys suffered a data breach. Despite not being responsible for the breach, Travelodge made the headlines simply because a big name makes for a better story.
However, whilst the breach notification area of GDPR has harmonised this policy across the EU, the fining authority has failed to have had much of an impact. The vast majority of companies are still not being fined for failing to protect their customers data; according to DLA Piper, only 91 reported that fines have been imposed in the first eight months. However, not all these fines were related to personal data breaches and the majority are still too small to register with the companies that are being penalised.
The real test case for future GDPR fines will be the well-publicised data breach at British Airways, which exposed more than 550,000 passenger and payment card records. As the airline’s response was well orchestrated, it will be interesting to see the size of fine that will be levied. Many organisations will likely take the outcome of this case into consideration to model their own strategy.
Adapting to GDPR
Still, many organisations are continuing to struggle with GDPR, while regulators continue to adjust their guidance based on new learnings. By implementing the core pillars of GDPR, organisations can assure they meet the mandate’s requirements while strengthening their cyber security posture.
The pillars are the following:
- Privacy protection is the heart and soul of GDPR. Therefore, organisations need to first explore what data is being collected and consider why and how it is being processed. It is then important to work with a legal team to establish a privacy policy that covers all aspects of GDPR.
- Organisations also need to designate a data protection officer. If this role doesn’t exist already, then one must be created. At the same time, it is important to train all staff on the details of GDPR and how it applies to their job functions. In this context, it is helpful to establish internal policies on data security, data integrity, and data retention. These documents are commonly requested should the Information Commissioner’s Office ever investigate a complaint relating to GDPR.
- Security professionals should also have a full understanding on where exactly they should invest their cyber budget. Since 80% of all hacking related data breaches involve privileged account compromise, Gartner predicted that Privileged Access Management (PAM) will be the second fastest growing information security technology segment and among the top 10 security projects for 2019.
Investing in Zero Trust Privilege can yield significant benefits because identity has become the new security perimeter and battleground for mitigating cyber-attacks that impersonate legitimate users. In fact, PAM plays a critical role in helping organisations become and remain compliant with GDPR since it enforces access policies to critical data and provides super admins with complete visibility over each individual privileged user and their sessions, including what they do, when and how. - Finally, as previously discussed, breach notifications are mandatory, and this must be done within 72 hours of first having become aware of the breach. Organisations are also required to notify their customers straight away. Therefore, it is important that organisations introduce a smooth-running incident response operation in order to meet these requirements.
As GDPR has been in force for a full year now, it is likely that we will see this policy being tested on a broad scale before 2019. For organisations, GDPR represents an opportunity to fine-tune their existing data privacy processes and procedures, as well as align their security strategies with today’s threatscape. One of the leading ways to accomplish the latter involves implementing identity-centric security measures to counter the primary source of breaches - privileged access abuse.