The four-year anniversary of the enforcement of GDPR in the UK was on May 25. Compliance with the EU-wide data privacy regulation remains an ongoing challenge for organisations, as do raising cybersecurity expectations and threats to personal data. The anniversary provides the opportunity to reflect on what has been successful since GDPR was first implemented, what needs more improvement, and how the UK Government’s new legislation could change GDPR practices.
From the moment GDPR was first introduced, it hasn’t always been straightforward for businesses. Ricardo Ferreira, CISO EMEA, Fortinet, says: “Organisations have found themselves in muddy waters trying to navigate their way through new policies like the Trans-Atlantic Data Privacy Framework (a replacement for the EU-US Privacy Shield), Data Governance Act and Digital Operational Resiliency Act (DORA), so not to get stung by fines for non-compliance.”
Ferreira argues that “without a holistic view and overarching strategy that take into account all parties’ needs and concerns, we find ourselves facing a fragmentation in data policies. As such, organisations must take control and ensure they are taking the right steps to best protect their customers’ data.”
He believes that the first step in protecting data should always be “ensuring that any Personally Identifiable Information (PII) data an organisation touches is secured from the moment it enters the business’ network to the moment it leaves. This includes applying security measures and policies that can seamlessly identify, follow, and secure data as it moves between network domains and devices, as well as across the extended network.”
Paulo Henriques, Head of Cyber Security Operations, Exponential-e, shares Ferreria’s sentiment on the importance of protecting PPI, as if data is exposed, he believes “a GDPR breach would be highly likely.”
Henriques says that “data about each and every one of us is now being collected at a phenomenal rate, largely thanks to the rise of smart cities and buildings, powered by IoT devices that make up their infrastructure. The vast realms of data they generate are crucial to making smart cities a reality – and ultimately benefit society – but security measures must keep pace if our data is to remain secure.”
Henriques believes the risk continues to grow as thousands of devices are added to networks without the appropriate controls. He says that “comprehensive data privacy and security strategies are a must for any smart city development in that context, and that’s where cyber security experts have an integral role to play. They should take the lead on engineering and embedding security management systems that mandate that all data collected from “zero trust edge devices” is moved onto secure IT platforms as soon as it’s generated.”
Data has been a priority for many businesses, with the risk of substantial fines looming over them. Hiten Mistry, CRO, Venari Security says end-to-end encryption has increased worldwide as a result of GDPR. “Many companies now support TLS 1.3, a robust encryption standard that helps to provide complete end-to-end encryption. This level of encryption is essential for any company that handles sensitive data.”
However, Mistry argues that while encryption has helped ensure privacy and regulatory compliance, it has also introduced a new problem for enterprises. “Those attackers that can breach an organisation’s perimeter are increasingly hiding malicious activity within legitimate encrypted network traffic. This presents a significant and challenging blind spot for security teams.”
Mistry believes that the only way organisations can hope to keep up is if they can “monitor for anomalous and potentially malicious activity in their traffic without relying on decryption.” To achieve this, Mistry says that “security teams must shift their approach towards using encrypted traffic analysis to identify suspicious connections. Only then can they be confident that they know what is happening within their encrypted traffic flows.”
Security teams have an important role to play when it comes to managing data for GDPR compliance, but the onus shouldn’t just be on them. Adam Mayer, Director, Qlik, believes that “businesses need a clear strategy on how they can democratise employees’ access to real-time data, while ensuring that the insights can be trusted and that access is appropriate to their role.” A recent study from Qlik found that nearly all global business leaders (90 per cent) say that data enabled them to better navigate the uncertain business environments created by the pandemic. This sentiment is also important in the context of GDPR and protecting data.
A Data Reform Bill named in the Queen’s Speech outlined the Government’s plans to reform GDPR in the UK. On the face of what has been announced so far, the Bill aims to shift the focus of data protection legislation to privacy “outcomes” rather than, what the Government calls box-ticking.
While the policy is still to be ironed out, it could help businesses in the long term. Adam Mayer, Director, Qlik, says that while any immediate reduction in paperwork would undoubtedly be welcomed by businesses, the Government has a tough balancing act to walk. “People now have higher expectations regarding the protection of their personal data, so it is important that any changes to reduce compliance processes are not seen to be a weakening of data protection.”
Mayer explains that the more the new Bill diverges from the GDPR, the more barriers to trade may emerge with the EU, the UK’s largest trading partner. “This divergence may make cross-border personal data transfers with the EU more challenging, adding to the paperwork requirements for those transfers. The devil will be in the details of any final Act, but while the Government’s aims are laudable in trying to focus on outcomes, this may be perhaps best addressed through enforcement policy by the ICO, rather than any watering down of the current Data Protection Act rules.”
