The recent anniversary of the General Data Protection Regulation (GDPR)’s implementation commemorated the first full year that businesses dealing with EU resident data have spent operating in this new regulatory environment. One year in, GDPR looks less like an outlier and more like a global trendsetter. While the EU may have led the way, consumer data protection conversations have shifted to the forefront in the United States, both at the state and federal levels and in countries around the globe.
Businesses aren’t the only ones that have begun educating themselves on all things compliance; thanks to a GDPR-related uptick in regulatory content in the media and other public spaces, consumers are increasingly better informed on their digital personas and the rights that do (or do not) accompany them. With that knowledge comes increased expectations for the businesses they choose to interact with and more awareness of those that may be using their personal data without consent. The bar has been raised, and it’s hard to think that consumers will accept less protection than they now see represented on a global stage.
There is a broadening recognition and acceptance that privacy regulations aren’t going away. In a recent Gartner survey, executives named accelerating privacy regulation as their top concern of Q1 2019, with 64% of respondents citing it as a key risk facing their organizations.
Businesses must be prepared for ongoing and elevating compliance standards in the years ahead — standards that may vary greatly by region, country or state. GDPR spurred great strides in data governance, causing companies to take note of what data they have, where is it, who has access, etc. as well as make significant improvements in the timeliness of breach notifications. However, better data governance and reporting isn’t the end of the compliance story. While improving procedures in these areas is important for companies and consumers alike, these first steps are just that — a beginning.
Some organizations used GDPR as a catalyst to establish broader data protection strategies, while others have yet to implement technologies that will actually have a meaningful impact on consumer data security. Data governance and reporting satisfy a number of tasks on the compliance checklist, but they do little to prevent sensitive consumer data from being breached or stolen. With the GDPR’s first year behind us, it’s time to shift our collective focus to ensuring the personal data businesses use and possess is truly locked down.
Establishing a data-centric approach to security and focusing on securing the data itself rather than just the networks, servers and applications it resides on is one of the most effective ways to deal with variable and accelerating regulations. If a company’s security strategy is built around protecting data at all times, the business will be better prepared to prevent breaches and misuse no matter what regulatory environment it finds itself operating in.
Data must be secure wherever it is within an organization, whether at rest on the file system, moving through the network or while it’s actually being used or processed. This is a protection strategy I refer to as the “Data Security Triad,” the three components of which include:
• Data at Rest: Categorized as inactive data stored in any digital form, data at rest resides on the hard drive or in databases, data lakes, cloud storage or other locations and is commonly protected by perimeter-based, access control and user authentication technologies. Additional security measures such as data encryption are commonly added depending on the level of sensitivity.
• Data in Transit: Data is vulnerable as it moves through a private network, public/untrusted space or a local device, and it is, therefore, standard practice to protect it using transport encryption. If businesses adhere to proper protocols, this is an efficient and effective defense strategy for data in transit.
• Data in Use: Data in use has become the point of least resistance for increasingly sophisticated attackers, as it is the most commonly overlooked segment of the Data Security Triad. Technical methods for securing data in use include homomorphic encryption, secure enclave and secure multiparty compute.
Access management is important for ensuring protection for data at rest, in transit and in use, but when it comes to locking down data to prevent a breach or misuse, one of the most effective technical solutions is encryption. While encryption itself does not prevent interference, without access to the keys, encrypted data is useless to an attacker, and data breached in its encrypted state is not subject to regulatory penalties. Limiting encryption to only a portion of the Triad is a dangerous oversight. If there is data of value at stake, attackers will find a way to reach it, so every point of entry needs to be protected.
GDPR has proven that regulations can spur real change in the commercial market — change that many consumers view in a positive light. When referring to businesses’ ongoing battle with compliance, as highlighted in its Emerging Risk Trends Report, Gartner’s Matt Shinkman described GDPR as the “starting gun in this process, and not the finish line.” While that seems to be an accurate summary of the market, where businesses perceive that finish line is also critical.
Compliance just to avoid regulatory penalties is not enough to impress an increasingly informed consumer base. In GDPR’s second year, let’s drive action geared more specifically toward what the law was intended to accomplish: Protecting the privacy of consumers by ensuring the security of their data.
Content provided by Microsoft and Forbes.com.