Please see comment by Industry leaders on the anniversary of GDPR. The comment focuses on how poor identity access management can lead to GDPR fines, and why organizations need to invest in Identity Data Fabrics.
Due to the rise in digital transformation efforts, we are seeing an explosion in the number of digital identities that each business stores. As a result, controlling and managing identity data has become that little bit harder. Unfortunately, when organisations struggle to manage their identity data, they could potentially break GDPR rules.
Organisations have been scattering their identity data across multiple sources which all use different protocols or are stored in cloud repositories which cannot connect to legacy technology. This identity sprawl results in overlapping, conflicting, or inaccessible sources of data. Identity data which is poorly managed makes it virtually impossible for IT teams to build accurate and complete user profiles.
It can also result in siloed systems which increases the likelihood of a failure in identity management and expands the attack surface of an organisation. For example, Bocconi University was fined €200,000 after the Italian Data Protection Authority discovered that the same student information had been placed into multiple, fragmented documents – violating the GDPR principles of fairness, transparency, and lawfulness when it comes to data processing. Poor identity management practices means that security teams cannot have full visibility across their identity data, providing gaps for threat actors to exploit. Organisations who do not have the right protocols in place for identity management risk breaking GDPR rules by failing to keep identity data accurate and minimised. Failure to do this could result in the double blow, because you’re now both more vulnerable to cyber criminals and you’re being hit by a massive fine from EU regulators.
Not only do businesses have a lack of visibility across their data sources, but also a lack of control. Without accurate user profiles, security teams and systems are unable to figure out what users should be accessing in order to fulfil their job. The most notorious GDPR fine was occurred by British Airways, who were fined £40m for failing to limit access to applications, data and tools. With some of the largest enterprises being found guilty of breaking GDPR rules, it is time organisations look to sanitise and streamline processes when it comes to Identity Access Management.
With an Identity Data Fabric, organisations can unify identity data stored from all sources into one easy-to-use global profile which can deliver identity data in real-time from wherever and whenever needed. Applications are then able to access identity data using different formats and protocols, irrespective if it’s on-premise or in the cloud, and users’ profiles can be regularly updated in real-time. With accurate identity data, security teams have complete control over who has access to what, and they can feel more confident that they’re meeting all the GDPR regulations.
The recent proposed reforms to the UK’s data protection legislation in the Queen’s speech represent a desire to break away from some of the more rigid obligations of the EU’s GDPR. But businesses need to ensure they maintain the means to comply with international laws, while benefiting from the ‘Brexit dividend’ the new UK reforms promise.
One way to successfully achieve this will be to have airtight data segmentation policies that enable them to compliantly manage data from divergent markets differently. This means being able to quickly identify where each customer is based and implementing the relevant data controls in accordance with their local data protection laws. The alternative is to decline international customers access to their products and services, which would likely have a significant impact on their bottom line or continue to follow the GDPR rules to the letter for all customers and potentially lose out on the Brexit dividend altogether.
If the government does power ahead to relax UK data protection regulations, then without the right assurance in place, UK businesses may face an uphill struggle to manage international customer expectations, particularly when such customers are increasingly wary of the consequences of non-compliance in terms of legal, financial, and reputational damage.
Over £961 million worth of GDPR fines were issued between January 2021 and January 2022 – a sevenfold increase on the previous year. If there is anything to take from this GDPR anniversary, it’s that organisations need to get their house in order straight away – as I expect another significant rise in fines over the course of this year.
A cause of this will be the wholesale changes that were made to IT infrastructure overnight to keep businesses running during the pandemic, the negative impacts of this are still being felt by many organisations. The requirement for rapid change meant that security and compliance sometimes took a back seat – but this isn\’t a sustainable long-term approach. It\’s tough for IT teams to simultaneously juggle business priorities, but now that the pandemic has eased it’s crucial for GDPR compliance to be treated as a key focus area.
To support this, IT teams must fix the visibility issues that most of them have. Our research shows found that ninety-four percent of today’s enterprises find 20% or more of their endpoints are unprotected, making it impossible to be sure that data is being handled in a GDPR-compliant manner. Risk analysis is another important area of GDPR compliance because it enables IT risk to be assessed so that issues can be fixed before an incident occurs. This can be the difference between being on the back or front foot, helping to avoid data breaches and the associated fines. Staff training is also crucial – and organisations need to ensure their Data Protection Officers support the whole company with information on how to remain compliant, especially given the new hybrid working landscape.
If these steps are followed, organisations will stand a good chance of not becoming the next big negative GDPR headline – which I expect to see several more of this year. The reputational damage caused by these events can often have a larger impact than the fine itself, so the value of GDPR compliance cannot be underestimated.
When we look at the big picture, the GDPR really has become a vital component of global privacy law. It set the standards for others to follow, and it brought data privacy and data management into focus for everyone from citizens to enterprises and government institutions. Over the last four years, we shouldn’t underestimate the impact that GDPR has had on highlighting the reasons that companies should take data related issues more seriously, and not put them on the backburner.
However, as data protection regulations expand from simply a “citizens-rights” focus, many global organisations now find themselves struggling to manage the convergence of multiple data regulations across different regions, rather than focusing on growth and improvement. This has resulted in organizations looking at data regulations more holistically and managing sensitive data in an environment where they can understand the unique requirements and manage any conflicts that may arise from the different viewpoints and drivers of said regulations. GDPR has forced organizations to put sensitive data governance at the front and centre of their digital transformation efforts.
What’s also changed in four years is that there is a much greater focus on the physical geographical location of data. Thankfully, cloud providers are no longer spinning their heads around in response to many organizations’ specific regional hosting needs. With the various compliance, auditing, and breach notification requirements under GDPR better understood, the major cloud providers are equipped to help organisations navigate and advise along the way.
As we mark the 4th anniversary of GDPR, it’s clear that many organisations are still doing the bare minimum when it comes to achieving compliance – and exposing themselves and their customers to threats both internally and externally. Going the extra mile and implementing further protection for individuals – such as holistic identity and access management (CIAM) – and placing privacy and security at the front of mind, will be a key differentiator for businesses operating in a competitive market.
When it comes to businesses implementing GDPR effectively, a CIAM setup is vital to meet the requirements for both employees and customers. This is because CIAM solutions offer key capabilities including data consolidation, consent capture and management, data access governance and end-to-end security – consolidating all the key components need to meet the regulation, along with streamlining them effectively – making it cost-effective too. The other key consideration for businesses going forward is to ensure that their security solutions are thought of as part of the overall customer experience – not least because a data breach will result in a loss of customer loyalty. Ensuring that security solutions are seamless, invisible and human-centric will be the next evolution of meeting GDPR compliance.
As we mark the fourth anniversary of the GDPR, organisations are facing a more knowledgeable, confident, and powerful world community demanding greater transparency in terms of how their personal data is used and expecting organisations to be held accountable for their behaviour. Last year, not only did we see a significant increase in the number of GDPR fines, but we witnessed the biggest one to date with many of these fines focused on punishing organisations that seem to present ambiguity or lack transparency in processing and communicating decisions with their customers. Reputational management – maintaining a happy customer base – is driving boardroom discussions and forcing organisations to identify a new data privacy strategy beyond regulatory compliance risks. Consumers demand integrity and truthfulness regarding how personal data is processed and used. Customers demand control and are not reticent to exercise their rights to delete or request copies of any personal data that has been processed. For many organisations, fulfilling such requests is incredibly time consuming, is often still a manual process and – as many organisations have internal silos – even locating all available data is an undertaking. With a focus on brand reputation and retaining customer loyalty, organisations are looking to innovation and automation to manage these challenges and as a source of competitive advantage. Gaining trust is so dependent on delivering a consistently great customer experience that effective communication of personal data policies, practices, and any breaches as well as a streamlined Subject Rights Requests (SRR) management process must be top of mind. Organisations that foster an integrated, data-centric approach to privacy management – leveraging data discovery and classification tools, risk mapping and data management platforms with strong retention capabilities – will be in the best position to execute on these priorities. This will earn individual trust and retain the right of custodianship of customers’ personal data as well as differentiate themselves in the marketplace.
As we approach the fourth anniversary of EU GDPR, it is a time to reflect on how this privacy law has changed the cyber landscape over the last several years. Since its introduction, GDPR has continually forced organisations to better evaluate how they store and collect user data while simultaneously requiring organizations to implement stronger security controls to protect and secure any data they do collect from potential exploits. While the GDPR law has without doubt given citizens more control over how their data is collected and processed, it has also presented opportunities to cybercriminals who have also adapted their methods and techniques, specifically through ransomware attacks. Ransomware attacks continue to cause ripple effects throughout the industry and cybercriminals now utilize potential GDPR violations as a means of forcing an organisation to pay their hefty ransom demands. An astonishing 83% of organizations admit to paying ransom demands, according to recent research.
While GDPR did force organisations to somewhat improve their security posture, it has not stopped cybercriminals from being successful. Organisations must remember that GDPR is only a standard and cannot supplement a robust security strategy, one that incorporates strong privileged access control, automated threat detection and response, zero trust principles and a security first company culture.
\”The General Data Protection Regulation (GDPR) has certainly demonstrated its worth over the past four years, affording citizens more control over their data and forcing businesses to analyse their security posture and make changes where necessary. The ICO has shown its teeth, handing out a whopping total of € 1,635,173,146 in fines to date and it\’s clear they are following through on their promises in that respect. But, this also demonstrates the real-world consequences for poor data protection practices and shows there is work still to be done.
In fact, a recent survey carried out by Apricorn found that over 40% of respondents had notified the ICO of a breach/potential breach since GDPR came into effect or were aware that they had been reported by someone else. With the number of breaches showing no sign of receding, businesses must take action. Many are still mired in confusion and the regulation can be hugely overwhelming.
Organisations need to be mindful that GDPR is an ongoing process and not just a tick box exercise. The most common ways to maintain compliance are to continue to enforce and update all policies and invest in employee awareness on a regular basis. Additionally, encryption is a key component within the compliance “kit”, helping to lessen the probability of a breach and mitigate any financial penalties and obligations that would apply in the unfortunate event of a breach.\”
Since its introduction four years ago, GDPR has been perceived as the catalyst behind some of the most profound changes to global data protection laws. In a nutshell, GDPR is designed to hold organisations accountable for the information they store, process and share and anything that aims to create positive strides when it comes to data protection is a step in the right direction. However, one of the challenges of GDPR, is that it can often be seen as complex, confusing and challenging to implement. This stems from the rapid digitalisation that businesses underwent during the pandemic, and the new ways in which we plan to access and share data as we move forward.
As we continue to think about the future of GDPR, one of the most important aspects to its continued success will be about how it evolves. After all, four years in the technology world can feel like a long time ago when it comes to innovation and new ways of working. In addition, a big part of the success behind GDPR will be about ensuring data protection is seen as working hand in hand with the business and its goals. Too often we see security and legislation regarded as a trade off or a blocker to innovation. At the same time, many businesses struggle with having full visibility over who has access to customer data. As we strive to create a more secure and digital Europe, the evolution of GDPR will play a critical part in this and it is at the center of ensuring we continue to think about data security practices. However, in order to get maximum success, we need to see business leaders embracing a digital culture that turns the spotlight on the value of our data, while also applying pragmatic data protection and cybersecurity methods that provide access at the right time and at the right privilege level when it comes to handling sensitive data. With the right platforms in place, businesses can support innovation and agility, without jeopardising on privacy.
GDPR set the standard for privacy, but this concept is relatively incomplete as it’s deeply intertwined and reliant on strong, resilient cyber security practices to keep data secure and well, private.
However, you can’t have privacy without security, and you can’t have strong security when passwords and traditional MFA are involved.
Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures. The ICO does note that any password setup that you implement must be appropriate to the particular circumstances of this processing and businesses should consider whether there are any better alternatives to using passwords.
A fundamental failing of common security tropes is that you can make passwords safe, and the longer and more complex they are the better. WRONG. To better protect privacy, governments must ensure businesses eliminate passwords.
Up there with the security failings of passwords is also the ease with which attackers can now bypass traditional MFA using off-the-shelf phishing and Man in the Middle exploits. Legacy MFA is redundant and will continue to prove unreliable. Legislation should be continually updated, and outdated password and MFA practices should be addressed. Government bodies must ensure that businesses are using phishing resistant, passwordless MFA to protect sensitive and critical data.
It may have been four years since GDPR was introduced, but compliance is a process that must be adapted continuously.
To keep on top of this, companies must try to understand the regulatory requirements as much as possible and keep track of how it affects their own industry. Businesses should then conduct assessments to identify their own privacy risks, prioritise them and create an action plan to mitigate the most important risks. It’s also important for companies to review the security policies and procedures already in place, to stay compliant with regulations applicable to their business.
To ensure sustainable compliance, companies should also streamline and automate compliance processes and policies as much as possible. Technology like identity security can achieve this by regulating user access and keeping track of who is using various apps and data, and when. Doing this can save costs as well as valuable staff time, while reducing the risk of devastating data breaches due to manual errors.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics