GDPR’s Policy Enforcement Will Likely be Tested on a Broad Scale in 2019
Almost a year ago, the European Union’s General Data Protection Regulation (GDPR) went into effect. The law requires any organization that stores or processes personal information about EU citizens within EU states to comply with GDPR, even if they do not have a business presence within the EU. Organizations that are found to be non-compliant can be fined up to four percent of their annual global turnover or €20 Million (whichever is greater). Many industry experts had high hopes that GDPR would have a positive impact on protecting the privacy rights of EU citizens, while helping businesses strengthen their cyber security posture as an added benefit. Let’s consider whether these expectations have been met.
Due to the sheer volume of data breaches and cyber-attacks that have exposed billions of personal data records over the past several years, legislators in the EU saw the need to enact further privacy protections for its citizens. GDPR aims to harmonize data privacy laws across the region, protect EU citizens’ data, as well as reshape the way organizations approach data privacy. Inherently, GDPR provides consumers with a right to consent to the storage of their data and be able to review their own personal data in terms of how it is being processed. In addition, organizations are required to notify the appropriate national bodies and impacted consumers as soon as possible about a personal data breach to ensure EU citizens can take appropriate measures to prevent their data from being abused.
The data that falls under GDPR protection ranges from basic information (e.g., name, address, ID numbers), Web data (e.g., geolocation, IP address, cookie data, RFID tags), health and genetic data, biometric data, racial or ethnic data, and political opinions to sexual orientation.
Even though GDPR has only been in effect for nine months, regulators across Europe have seen the number of breach notifications ― which are now mandatory for those breaches that likely “result in a risk for the rights and freedoms of individuals” ― surge significantly. According to the DLA Piper GDPR Data Breach Survey: February 2019, over 59,000 personal data breaches were reported to regulators in the first eight months since GDPR went into effect. This doesn’t necessarily mean that more breaches occurred than in the past, but simply reflects the fact that organizations are now mandated to report these breaches, contributing to better transparency.
Since many data protection authorities have a big backlog of data breach reports, it is not yet clear how organizations are being affected by potential GDPR fines. According to DLA Piper, only 91 reported fines have been imposed in the first eight months. However, not all these fines were related to personal data breaches. The real test case for future GDPR fines will be the well-publicized data breach at British Airways, which exposed more than 550,000 passenger and payment card records. As the airline’s response was well orchestrated, it will be interesting to see the amount of fine that will be levied. Many organizations will likely take the outcome of this case into consideration to model their own strategy.
The Main Pillars of GDPR Compliance
Many organizations are continuing to struggle with GDPR, while regulators continue to adjust their guidance based on new learnings. By implementing the core pillars of GDPR, organizations can assure they meet the mandate’s requirements while strengthening their cyber security posture. GDPR spans four key elements:
1. Privacy Information – Obviously, privacy protection is the heart and soul of GDPR. Therefore, organizations need to conduct the following steps:
a. Explore what data is being collected, why, and how it is being processed;
c. Establish mechanisms for customers to opt-in, opt-out, and request to review their data via online forms/tools.
2. Organizational Structure – Under the GDPR mandate, organizations need to designate a data protection officer. In addition to creating this role (if it doesn’t already exist) it is important to train all staff on the details of GDPR and how it applies to their job functions. In this context, it is helpful to establish internal policies on data security, data integrity, and data retention. These documents are commonly requested should the GDPR information commissioner’s office ever investigate a complaint.
3. Preventive Measures – Many security professionals were hopeful that GDPR would provide budget increases that would allow them to make new investments designed to minimize the risk of a data breach. For example, Gartner raised its forecast of expected spending on IT security and risk management in 2019 to $137 billion. Since 80 percent of all hacking related data breaches involve privileged account compromise, Gartner predicts that Privileged Access Management (PAM) will be the second-fastest growing information security technology segment and among the Top 10 security projects for 2019.
Because identity has become the new security perimeter and battleground for mitigating cyber-attacks that impersonate legitimate users, investing in Zero Trust Privilege can yield significant benefits. In fact, PAM plays a critical role in helping organizations become and remain compliant with GDPR since it enforces access policies to critical data and provides super admins with complete visibility over each individual privileged user and their sessions, including what they do, when, and how.
4. Incident Response – Under GDPR, breach notifications are now mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Organizations are also required to notify their customers, “without undue delay” after first becoming aware of a data breach. Organizations must establish proper incident response mechanisms to meet these requirements.
2019 is likely to be the first year that GDPR’s policy enforcement will be tested on a broad scale. For organizations, GDPR represents an opportunity to fine-tune their existing data privacy processes and procedures, as well as align their security strategies with today’s threatscape. One of the leading ways to accomplish the latter involves implementing identity-centric security measures to counter the primary source of breaches ― privileged access abuse.