Following the announcement that the GDPR has been ratified by the European Parliament, security experts from Micro Focus Thales and Netskope commented below.
David Mount, Director Security Solutions, Micro Focus:
“The GDPR is going to have a huge impact on any businesses operating in the European Union, and how they store and process data. Throughout the drafting and ratification of the legislation, some elements of the regulation have been more controversial than others and it is interesting to see which measures have made it into the final text. Perhaps one of the more controversial elements is mandatory data breach reporting, since under the GDPR companies will be required to notify national data protection authorities and affected individuals within 72 hours of awareness of a data breach unless it is likely to put the rights and freedoms of the individuals at risk. This will be a technical challenge for those businesses unaccustomed to such stringent measures: they will need to identify the breach itself and the information assets likely to have been affected so they can give an accurate assessment of the risks to the authorities and consumers.
“While this may seem like a positive step towards improved data protection, the US example shows that in reality there can be an unintended consequence of ‘data breach fatigue’. Consumers become accustomed to receiving frequent data breach notifications for even very minor breaches, and as a result it can be hard for them to distinguish serious breaches requiring action from minor events which can be safely ignored. The effect is that sometimes consumers can’t see the wood for the trees, and may start to ignore all warnings – which somewhat negates the point of the measure. It remains to be seen whether or not this measure will have the desired effect in Europe.
“With two years to comply, businesses need to take action now by ensuring they fully understand the measures contained in the GDPR and what they mean for their business and its data use. Understand what data you hold, how you are using it, and make sure that you are practising good data hygiene by limiting access to data to only those who need it, and ensuring that authentication protocols are up-to-scratch for those users. Businesses should also consider deleting data that is no longer required so that it does not become an unnecessary risk.”
Peter Galvin, Thales e-Security:
“With data breaches becoming an everyday occurrence, this ruling on GDPR couldn’t have come at a better time. Companies have two years in which to prepare to comply with the legislation, which might seem like a long time but it certainly won’t be without its challenges. Organisations need to start planning and mapping out their strategies now, thinking beyond traditional models of securing the perimeter and locking down specific segments of IT infrastructure in order to formulate their data protection goals. A strong encryption strategy needs to be at the heart of this – not only to ensure that the business is complying with the regulations but also to assure customers their personal data is safe. Only organisations that do this well will establish and build trust with their customers.”
Eduard Meelhuysen, VP EMEA at Netskope:
“The European Union General Data Protection Regulation (GDPR) will have far-reaching consequences for both cloud-consuming organisations and cloud vendors. And with the ratification of this piece of legislation, security teams will have to begin the process to comply in earnest.
“With a maximum fine of 20 million euro or 4% of global turnover (whichever is higher) in cases where the data subject’s rights have been infringed – such as where data has been processed without a legal basis, or international data transfers have been performed – there is now more incentive than ever for companies to get their houses in order around data protection and privacy.
“With the complications presented by the cloud and shadow IT, personal data will be even harder to track and control. The security teams of data controllers will have to carefully create and document processes, policies, and products to ensure data subject rights and data security of processors.”