On May 25, 2016, the GDPR (General Data Protection Regulation) became law in 28 European countries, marking the arrival of the biggest piece of legislation ever created… anywhere. We’re now in a two-year transition period before the new law is enforced in 2018. What is truly significant about the GDPR is its global scope, meaning that wherever you are in the world, if you process the personal data of Europeans, then you must comply.
The GDPR is all about protecting individuals (aka the “Data Subjects”) by giving them greater rights over their data, such as the greater need for consent and the right to be forgotten. Ultimately, organizations must be responsible custodians of this data or they may be fined up to 20 million Euros, or 4% of their parent company worldwide turnover, whichever is greater. With potential fines up in the billions, the GDPR is unsurprisingly on everyone’s business agenda.
On the surface, the GDPR is all about adhering to new processes, such as data access requests, erasing old records, and mandatory breach notifications. Whilst this operational side of the GDPR is key, it is easy to get too focused on the specific requirements instead of their intent. GDPR is unlike most other regulations in that you can’t just tick the boxes to comply. The GDPR contains ‘principles’ that must be adhered to, which amount organizations being responsible, caring, and protective of their data.
Unlike PCI requirements, companies can’t find loopholes in the GDPR that allow them to ‘get away’ with insecure practices. The GDPR is a new type of compliance regime and requires a new type of thinking. And that’s a good thing. Too often, there’s the tendency to find any way at all to tick boxes and squeeze through the regulatory process, without thinking about the potential real-world ramifications of not locking things down as much as we should.
With this ‘data protection spirit’ in mind, the primary goal of organizations should be the actual protection of personal data. There are many ways to achieve this, but a simple prioritized approach would look at the major threats that lead to a security breach. We’re still seeing malware and phishing as the two major causes of a breach, and as of 2017, these two specific threats are simple to solve. That sounds glib, but it’s true. As an example, if you ask Cylance customers about malware, the typical response is, “We don’t have a problem anymore. Cylance just solved it. We spend our time on more complex problems now.”
So, am I suggesting that implementing a complex piece of legislation can be done by simply installing an antivirus product? No, but it’ll be crucial to achieving the desired results. All of us working in the GDPR sphere need to re-evaluate our perspective and get our heads out of the fine detail to focus on what our customers, employees, and regulatory bodies really want. They just want us to protect their data, and by removing the largest causes of data breaches, we’ll be light years ahead of our competition.
GDPR compliance takes a lot of effort, but we can achieve a few ‘quick wins’ by solving the big technical threats early with some next-generation technology. Rather than getting distracted by flashy new attacker techniques and state-sponsored attacks, which are less likely to be encountered in the wild, organizations should focus on solving security basics using artificial intelligence and machine learning to stop malware and other threats before they execute.
Consulting Director of Cognition, GDPR and Antivirus Consulting Provider.