GDPR And The ‘Security By Compliance’ Mistake

July 02 11:03 2018 Print This Article

GDPR And The 'Security By Compliance' Mistake

For the past month, we have all been flooded with emails from vendors or website pop-ups with “privacy notice updates” about their awareness and intent to meet the May 25 EU General Data Protection Regulation (GDPR) deadline. The best versions of these messages require subscribers to opt-in to receive and share information. The worst ones simply alert the reader to a change in policy to meet new GDPR regulations and send them to the legal jargon.

The race is on to comply with GDPR given the threat of hefty fines for breaching this law. Unfortunately, Gartner predicts that by the end of 2018, more than half of all companies affected by GDPR will not be in full compliance with its requirements. And we are already seeing workarounds, where companies are putting up new websites with different privacy requirements for different countries. That is similar to what happened in the United States with unique state laws creating a “compliance salad” of paperwork and notification variations that are nearly impossible to manage and which take an incredible amount of time and energy. Furthermore, these state-specific laws do not account for the global information exchange, which doesn’t follow strict borders.

GDPR is already being hailed as “the most important change in data privacy regulation in two decades.” But just going down the list of compliance checkboxes has never been a good proactive approach to security. Although GDPR has made improvements, it has not fundamentally changed behaviors radically enough to solve the core problems of data privacy. We’ve been through the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) and their long list of checkbox requirements, and yet breaches and leaks of personally identifiable information (PII) continue to rise.

But before we dig in deeper, let me first say that GDPR is not a bad regulation, nor one to be ignored. The intent of GDPR is good. It responds directly to an angry public (and their representatives) that wants more control and a voice in how their information is used. And it’s the first real security regulation with significant teeth. If any company fails to meet GDPR regulations, the Information Commissioner’s Office (ICO) or EU privacy regulators can enforce penalties of up to 4% of worldwide turnover or 20 million euros (USD $23.58 million), whichever is greater.

But in talking with dozens of CISOs over the past few months, there’s a very common reaction to GDPR. They all take the law very seriously. All of them believe in the highest standards of information and system protection but face the uphill battles every day of the right budget and ample training required to change employee and company behaviors. They are frustrated that it takes “a GDPR” to act responsibly and want to get beyond compliance checkboxes to establish a more fundamental and strategic approach to data privacy.

And here’s how it starts:

Ditch Big Data For Best Data

Our society is a data-driven place, and businesses have reacted to the avalanche of big data by storing it for the purposes of sifting through it for potential business value. Too bad much of that data sits idle, and many organizations don’t even know what data they have — that’s one of the driving factors of why GDPR compliance is hard. Information needs to be safeguarded while it is being processed in order to be compliant with GDPR. There needs to be a fundamental change in getting personal information for the right purposes and showing the customer the value of that data exchange.

Separate The Technical Practice Of Data Access And Data Decryption

We need to separate the notion that accessing data and decrypting data are synonymous. Today’s outdated technical practices rarely encrypt data for fear of interfering with application performance. Even if they do encrypt to comply with regulations, they universally decrypt data in order for employees to use it. Simply put, the data is put in the clear (unencrypted) at the point of greatest vulnerability and error: when humans touch and use it. This is now an archaic practice. Applications and users can apply analytics and get real value from data analytics without decrypting data.

Create Serious Public-Private Partnerships

The nature of security by compliance inherently creates an adversarial relationship between business, policy makers and legislators. If you sit a CISO down with a legislator, you’ll find that both sides want the highest levels of information protection, but they are moving on such separate paths that all that results is tail chasing. CISOs and security professionals talk a lot about sharing information, but in reality, fear of retribution motivates them to keep things pretty close to the vest. And legislators, despite all their best intentions, don’t engage enough with CISOs and businesses to gain the critical insight on what the business needs. Both parties need to work in lockstep to enact protections that move faster than attackers and leverage the best innovations available to protect data from their adversaries.

Be Motivated By Trust, Not Compliance

According to a PwC survey of global CEOs, 64% said that the way their company manages their customer’s data will be a key differentiator for them in coming years. And yet a different survey by the UK’s Information Commissioner’s Office reported only a quarter of people trust businesses with their personal information. Does anyone think for a second that consumers and customers are going to increase their trust in a company because they’ve seen a new policy that complies with GDPR? Trust is not built via a contract but instead with communication, commitment and consistency.

The motivations of companies need to shift from compliance and defending against litigation and fines to a relationship of trust. Treat customer information not as a currency or commodity but instead as the most valuable bond between a company and its users and customers. Only when behaviors change — and security becomes a competitive differentiator and not a necessary evil that is a checkbox for compliance — will things really leap forward.

The original article (and image) was originally posted here:  https://www.forbes.com/sites/forbestechcouncil/2018/07/02/gdpr-and-the-security-by-compliance-mistake/#320eb6c3ecc4

 

  Article "tagged" as:
  Categories:
view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment

0 Comments

No Comments Yet!

You can be the one to start a conversation.

Add a Comment

Your data will be safe! Your e-mail address will not be published. Also other data will not be shared with third person.
All fields are required.