GDPR Anniversary, Expert Insight On What Lead To GDPR Fines

By   ISBuzz Team
Writer , Information Security Buzz | May 25, 2022 09:22 am PST

Please see comment by Industry leaders on the anniversary of GDPR. The comment focuses on how poor identity access management can lead to GDPR fines, and why organizations need to invest in Identity Data Fabrics.

Subscribe
Notify of
guest
11 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Steve Bradford
Steve Bradford , Senior Vice President
May 25, 2022 5:22 pm

It may have been four years since GDPR was introduced, but compliance is a process that must be adapted continuously.  

To keep on top of this, companies must try to understand the regulatory requirements as much as possible and keep track of how it affects their own industry. Businesses should then conduct assessments to identify their own privacy risks, prioritise them and create an action plan to mitigate the most important risks. It’s also important for companies to review the security policies and procedures already in place, to stay compliant with regulations applicable to their business.

To ensure sustainable compliance, companies should also streamline and automate compliance processes and policies as much as possible. Technology like identity security can achieve this by regulating user access and keeping track of who is using various apps and data, and when. Doing this can save costs as well as valuable staff time, while reducing the risk of devastating data breaches due to manual errors.

Last edited 1 year ago by Steve Bradford
Patrick McBride
May 25, 2022 5:20 pm

GDPR set the standard for privacy, but this concept is relatively incomplete as it’s deeply intertwined and reliant on strong, resilient cyber security practices to keep data secure and well, private.

However, you can’t have privacy without security, and you can’t have strong security when passwords and traditional MFA are involved.

Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures. The ICO does note that any password setup that you implement must be appropriate to the particular circumstances of this processing and businesses should consider whether there are any better alternatives to using passwords.

A fundamental failing of common security tropes is that you can make passwords safe, and the longer and more complex they are the better. WRONG. To better protect privacy, governments must ensure businesses eliminate passwords.

Up there with the security failings of passwords is also the ease with which attackers can now bypass traditional MFA using off-the-shelf phishing and Man in the Middle exploits. Legacy MFA is redundant and will continue to prove unreliable. Legislation should be continually updated, and outdated password and MFA practices should be addressed. Government bodies must ensure that businesses are using phishing resistant, passwordless MFA to protect sensitive and critical data.

Last edited 1 year ago by Patrick McBride
Jean-Noël De Galzain
Jean-Noël De Galzain , Founder and CEO
May 25, 2022 5:06 pm

Since its introduction four years ago, GDPR has been perceived as the catalyst behind some of the most profound changes to global data protection laws. In a nutshell, GDPR is designed to hold organisations accountable for the information they store, process and share and anything that aims to create positive strides when it comes to data protection is a step in the right direction. However, one of the challenges of GDPR, is that it can often be seen as complex, confusing and challenging to implement. This stems from the rapid digitalisation that businesses underwent during the pandemic, and the new ways in which we plan to access and share data as we move forward.  

As we continue to think about the future of GDPR, one of the most important aspects to its continued success will be about how it evolves.
 After all, four years in the technology world can feel like a long time ago when it comes to innovation and new ways of working. In addition, a big part of the success behind GDPR will be about ensuring data protection is seen as working hand in hand with
 the business and its goals. Too often we see security and legislation regarded as a trade off or a blocker to innovation. At the same time, many businesses struggle with having full visibility over who has access to customer data. As we strive to create a
 more secure and digital Europe, the evolution of GDPR will play a critical part in this and it is at the center of ensuring we continue to think about data security practices. However, in order to get maximum success, we need to see business leaders embracing a digital culture that turns the spotlight on the value of our data, while also applying pragmatic data protection and cybersecurity methods that provide access at the right time and at the right privilege level when it comes to handling sensitive data. With the right platforms in place, businesses can support innovation and agility, without jeopardising on privacy.

Last edited 1 year ago by Jean-Noël De Galzain
Jon Fielding
Jon Fielding , Managing Director EMEA
May 25, 2022 5:01 pm
Jon Fielding, Managing Director, EMEA Apricorn:
\”The General Data Protection Regulation (GDPR) has certainly demonstrated its worth over the past four years, affording citizens more control over their data and forcing businesses to analyse their security posture and make changes where necessary. The ICO has shown its teeth, handing out a whopping total of € 1,635,173,146 in fines to date and it\’s clear they are following through on their promises in that respect. But, this also demonstrates the real-world consequences for poor data protection practices and shows there is work still to be done.
 
In fact, a recent survey carried out by Apricorn found that over 40% of respondents had notified the ICO of a breach/potential breach since GDPR came into effect or were aware that they had been reported by someone else. With the number of breaches showing no sign of receding, businesses must take action. Many are still mired in confusion and the regulation can be hugely overwhelming. 
 
Organisations need to be mindful that GDPR is an ongoing process and not just a tick box exercise. The most common ways to maintain compliance are to continue to enforce and update all policies and invest in employee awareness on a regular basis. Additionally, encryption is a key component within the compliance “kit”, helping to lessen the probability of a breach and mitigate any financial penalties and obligations that would apply in the unfortunate event of a breach.\”
Last edited 1 year ago by Jon Fielding
Joseph Carson
Joseph Carson , Chief Security Scientist & Advisory CISO
May 25, 2022 4:58 pm

As we approach the fourth anniversary of EU GDPR, it is a time to reflect on how this privacy law has changed the cyber landscape over the last several years. Since its introduction, GDPR has continually forced organisations to better evaluate how they store and collect user data while simultaneously requiring organizations to implement stronger security controls to protect and secure any data they do collect from potential exploits. While the GDPR law has without doubt given citizens more control over how their data is collected and processed, it has also presented opportunities to cybercriminals who have also adapted their methods and techniques, specifically through ransomware attacks. Ransomware attacks continue to cause ripple effects throughout the industry and cybercriminals now utilize potential GDPR violations as a means of forcing an organisation to pay their hefty ransom demands. An astonishing 83% of organizations admit to paying ransom demands, according to recent research.

While GDPR did force organisations to somewhat improve their security posture, it has not stopped cybercriminals from being successful. Organisations must remember that GDPR is only a standard and cannot supplement a robust security strategy, one that incorporates strong privileged access control, automated threat detection and response, zero trust principles and a security first company culture.

Last edited 1 year ago by Joseph Carson

Recent Posts

11
0
Would love your thoughts, please comment.x
()
x