by Philip Kushmaro

Now that it’s here, what can we learn from the bumpy journey to GDPR compliance?

May 31, 2018

Think you’re done with hearing about GDPR? Not so fast. Data privacy legislation isn’t going anywhere and there’s a lot we can learn from the ups and downs of the EU experience.

The deadline for GDPR compliance has finally arrived and, if you’re like my editor, you’re probably wondering what’s left to say on the subject. We’ve certainly run some excellent overviews of the new legislation here at CIO. But, hold your horses. The data privacy issue isn’t over just because GDPR is now a reality – far from it.

Similar regulations are being debated in Canada, Japan, Australia, and China. And in the US, last month’s news of the US Securities and Exchange Commission’s decision to slap Yahoo (Altaba) with a $35 million fine for failing to disclose a data breach has a lot of American businesses also asking what’s next in data privacy rulings? Will global businesses be able to meet new incoming standards and, more importantly, satisfy customers that their personal data is safe? There’s a lot we can learn from the GDPR experience over the last two years.

Do you understand the data you’re responsible for?

While a lot of attention was given to privacy and consent issues, like the right of citizens to access their personal data and information, for many these concerns turned out to be just the tip of the iceberg. Some major issues were realized along the way. As many companies discovered, recognizing and mapping data was far more complex than initially believed. It wasn’t just a matter of finding “John Smith” in a database. There needed to be a way to understand the identities behind the data, who are these people, what are these people, and what rights and obligations apply to the data.

“The amount of work necessary to prepare themselves for GDPR really surprised a lot of our clients,” says Christopher Glover, Chief Technology Officer of Prifender, which has turned to Artificial Intelligence to identify and map personal information across the organization. “Enterprises with any sort of history have been accumulating data for years, and it’s often spread across multiple databases, email systems, and other document file systems in various repositories on and off the cloud. Manually having to inventory and label all that data was an arduous and labor-intensive task. Now that GDPR has been implemented, many are recognizing the need to automate the process, so that the system is continually monitored and updated and, of course, at a much lower cost.”

Defending that data may not be as easy as you think

Security of that data also presented unforeseen challenges. As they began the process of data mapping, many companies realized there were third-party issues they hadn’t previously considered, and those obscure relationships presented hidden security risks.

“Regulated companies are more at risk than ever from their third-party relationships,” says Richard Saville, Solutions Consultant at Opus, a New York based global risk and compliance SaaS. “In a recent Opus and Ponemon Institute survey, 56% of respondents confirmed that their organizations experienced a data breach caused by a vendor. And only 35% of respondents have a complete inventory of third parties with whom they have shared sensitive information.”

Leonid Belkind, Co-Founder and CTO of Luminate Security, agrees, and suggests that managing secure access to sensitive data, and providing full audit and governance, may be almost impossible with traditional IT networks. “In modern enterprises, data is stored across a number of IT systems and relying on network level access controls and application internal controls and audits to manage the data leaves companies in a precarious situation if they lack a single point of control over their sensitive data repositories. This exposes the organizations to heavy penalties under the new privacy laws.”

Belkind proposes an alternative approach, based on the Zero Trust Network philosophy, similar to Google’s internal project called BeyondCorp. With their Secure Access Cloud all access to corporate services dealing with sensitive information is obtained first, based on a verified identity of the accessing party and security posture of the device they are using.

The silver lining? GDPR has companies thinking ahead

Cybersecurity expert and Founder, CEO of Illusive Networks, Ofer Israeli, says the lead time to GDPR has been crucial. “GDPR has actually forced enterprises to think about future threats, and that’s a good thing, because they must ensure that data collected now always remains secure,’ says Israeli.  “Attackers get smarter all the time and their techniques are increasingly sophisticated, so you have to remain one step ahead of them.”

Illusive Networks, which has won several industry awards this year for this proactive strategy, is a pioneer of the concept of deception-based cybersecurity. Its intelligence-driven approach to cybersecurity leverages a range of advanced tools to manage the entire threat life cycle – from preemption, to detection and response — to mitigate advanced attacks and prevent an attack from having both business and data privacy legislation consequences. 

Only machine learning and AI can solve data privacy headaches

If we’ve learned anything these past two years preparing for GDPR, it’s that new thinking like this will be required to stay one step ahead of threats to data integrity in the future, and provide the data management that regulators demand and customers and employees deserve. Artificial intelligence and machine learning offer exciting opportunities to meet these demands, which will only grow as more data privacy legislation is enacted around the world.