The GDPR Conundrum

Since officially going into effect in May 2018, the European Union’s General Data Protection Regulation (GDPR), has been a source of consternation for businesses around the globe. GDPR requires organizations adhere to strict guidelines as it relates to collecting, storing, and processing data of EU citizens regardless of where the organization is based in the world. Fines for failing to follow the standards required by the law can result in fines of up to €20 million or 4% of worldwide turnover for the organization’s previous financial year – whichever is higher.

Many multi-national corporations have already run afoul of GDRP in its short existence. Earlier this year, for example, online retail giant Amazon was slapped with a record $888 million fine for violating data protection rules. Just last month, Facebook was fined nearly $270 million by authorities in Ireland due to GDPR violations related to its WhatsApp messaging service.

So, why more than three years into the law’s existence are so many companies still struggling to comply with the regulations spelled out by GDPR? SecurityInfoWatch.com (SIW) recently caught up with Bill Mann, CEO of Styra, a developer of open-source solutions that enable businesses to define, enforce and monitor authorization policy in their cloud and IT environments, to answer this and other questions related to how organizations are accounting for GDPR regulations today.

SIW: What are some of the biggest challenges that organizations still face in trying to comply with GDPR?

Mann: The largest challenge in my mind is the ability to adhere to the Right to be Forgotten. In Article 17, the GDPR outlines that an individual has the right to have their data erased if: The personal data is no longer necessary for the purpose an organization originally collected or processed it.

Where this becomes infinitely difficult for any organization is the ability to pinpoint a specific person's data (SSN, CCN, First Name, Last Name, EIN, Address, etc.). Imagine having 100s of databases that store customer data - the ability to scan databases for every Right to be Forgotten request can take months/years. Also, the ability to prove that their data has been redacted is nigh impossible.

We know that data doesn’t simply reside in databases only and is propagated throughout an organization in varying formats - which makes it an enterprise-wide undertaking.  

SIW: Are many companies just ambivalent about the law or do they genuinely not know how to bring their organizations into compliance?

Mann: I don’t think we can make any generalizations about organizations today because each individual organization and the way they have setup their infrastructure to handle sensitive data is unique. Think about when we were first coming online, we were creating a network to share information, not restrict or redact it. So, now when for decades we have created infrastructure to support the sharing of data, we then apply regulatory compliance standards to that infrastructure – you are talking about a significant amount of catching up and understanding every minute detail about your infrastructure and how that data is handled/processed from the moment you receive it. Also, these teams are understaffed, overworked, and constantly under attack, so while compliance is absolutely important, it likely is one of more than a hundred other priorities that these organizations tackle on a daily basis.

SIW: Do you think there is still a mindset among many that this law is primarily directed at large multi-national and tech conglomerates rather than small and mid-sized companies? Why is this logic flawed?

Mann: I am not sure that I have ever been of that belief or discussed that mindset with peers. This logic is indeed flawed, what we see from the more than 840 fines assessed is more smaller organizations being impacted. What we hear about in the media is more of the large organizations and the hefty fines that they face. 

SIW: Do you think the passage of things like the California Consumer Privacy Act (CCPA) and similar measures will compel U.S.-based organizations to take GDPR more seriously?

Mann: This assumes that U.S.-based organizations are not taking EU GDPR seriously. Rather, I think they are. Where I think there is room for improvement is the support that organizations need from the board-level, not just financial but also the trust that IT, security, and GRC teams are working in the best interest of customer and organizationally unique sensitive data.

SIW: What would be some of your recommendations to organizational leaders as they try to get a better grip on their data security practices and meet the standards laid out by GDPR?

Mann: I think every vendor under the sun has given their perspective on how to best deal with EU citizen or resident data. At this point, if organizations are looking to understand more about their data security practices and how those align with EU GDPR or any regulatory compliance standard – outsourcing to managed security service providers (MSSPs) is most likely the best option. For a number of reasons:

• Training someone(s) internally to triage incidents that involve sensitive data can take longer than the governing bodies will allow
• Expertise in data security and the ability to locate it within existing infrastructure is a specialized skill
• Having a third party that is not biased to your data is actually extremely beneficial when it comes to retention policies (i.e., data that has outlived its usefulness/stale data) or what is business-critical data

In addition to MSSPs being a useful resource, creating infrastructure with security (not just compliance) and privacy in mind is absolutely necessary as organizations move forward. Part of this is implementing policy-as-code for platform and application development so that regulatory compliance standards have checks and balances during the DevOps lifecycle.