Comforte AG’s Jonathan Deveaux stresses that while compliance with the GDPR is a worthy goal, adhering to the regulation doesn’t necessarily mean your organization is safe. Consider both compliance and security a journey, not a destination.
The European General Data Protection Regulation (GDPR) came into effect on May 25, 2018, ushering in a new era of data compliance regulation across the world. GDPR-like regulations have emerged in Brazil, Australia, Japan and South Korea, as well as U.S. states such as New York and California.
The GDPR was introduced to protect EU individuals’ personal information, collected by organizations, through regulation on how the data can be collected and used. Even though it is European law, the scope of the legislation effects organizations around the world.
Despite a two-year phase-in period (May 24, 2016 to May 25, 2018), many organizations around the globe remain noncompliant. A GDPR pulse survey by PwC in November 2017 revealed only 28 percent of U.S. companies had begun preparing for GDPR, and only 10 percent responded saying they were compliant.
Just a few weeks before the May 25 deadline, a Cloud Security Alliance’s GDPR preparation and challenges survey report revealed that 83 percent of companies did not feel prepared for GDPR. Moving into 2019, the $57 million fine for violations of the GDPR handed out to Google indicates that even the biggest corporations are struggling to adhere to GDPR compliance regulations.
To avoid potential fines and the cost of compliance, some non-EU companies have opted to withdraw from the EU market entirely. For example, every U.S.-based online newspaper managed by Tribune Publishing Company has been routing all EU IP addresses to pages that say something to the effect of “our website is currently unavailable in most European Countries.’” However, this is not a long-term solution, as more and more major economic hubs around the world introduce GDPR-like compliance regulations. As a result, many organizations are scrambling to improve their data security with the objective of becoming compliant and preventing cyber criminals from stealing precious customer data.
The GDPR has led to the question: “Does having adequate security also mean my organization is GDPR compliant?”
Data Compliance: A Security Solution?
Looking back on 2018, organizations suffering data breaches continued to be a regular occurrence with several high-profile data breaches – including Amazon, Facebook, Marriott Hotels and Google+ – stealing the headlines.
What’s most notable about these breaches: They highlight that adhering to data compliance regulations does not necessarily protect against bad actors breaching your systems and stealing data. Therefore, GDPR and other data compliance regulations shouldn’t be positioned as a sufficient cybersecurity strategy; instead, they should provide the impetus for proactive investment in data protection.
The GDPR provides a framework for comprehensive data security that includes standards for breach management, data protection, vendor management, data minimization and so on. As a result, the GDPR and other data compliance legislation provide organizations with a great foundation to start addressing cybersecurity risks.
The advanced and dynamic nature of cyber threats means that businesses need to adopt enterprise security architecture that can manage the objectives and risk challenges organizations face. Unfortunately, this means organizations cannot rely on purely being compliant with data protection regulation.
Compliance or Security – Which Should Take Priority?
Cybercriminals are constantly advancing and changing their attack methodologies. As a result, being compliant and secure is not a task with an end point. Instead, these are ongoing projects that require continued vigilance through maintaining and updating IT infrastructure. Data compliance regulations, such as the GDPR, are a great starting place for organizations wanting to address data protection. However, they are only an elementary step to addressing security.
With compliance regulations taking hold across the globe, compliance and security are increasingly becoming two sides of the same coin. Security and privacy need to be instrumental parts of organizations’ systems, and if organizations cannot determine whether compliance or security should take priority, they should work toward implementing a strategy that intertwines the two. This helps to reduce risk, particularly when it comes to unlawful access to critical data.
What is the Solution?
Organizations are increasingly adopting a layered approach to data security that involves investing in various solutions to defend against a range of threats. This has resulted in organizations wasting resources on unnecessary solutions – a problematic approach considering the often-limited security budgets many security teams have.
A data-centric security strategy is the solution to organizations’ compliance and security woes. This strategy protects the data throughout its life cycle, whether data is in motion, at rest or in use.
Tokenization is an essential aspect of this strategy. This process “de-toxifies” sensitive data by replacing it with a unique, randomly generated placeholder, anonymizing the information so that it can’t be linked together. This gives organizations the ability to use data while still protecting its original characteristics, helping them to simultaneously meet compliance and security requirements.
In the event of a breach, organizations will not necessarily be penalized if they can demonstrate their security apparatus was up to par (e.g., if sensitive data was breached but had been protected with the appropriate measures, such as tokenization or encryption).
The spread of GDPR-like compliance across the world and within the U.S. provides businesses with the perfect opportunity to review their security posture and implement effective strategies that will protect their business from nefarious actors, as well as fines for noncompliance with data privacy regulation. In today’s world, data compliance and security are essential for survival.