10 Security Experts On What The Industry Doesn't Get About GDPR

Cutting Through Conventional Wisdom

Dialogue around GDPR is too focused on the maximum allowable fines, exposure within departments like human resources and finance, the impact to financial services firms, and marketing departments getting crippled, according to thought leaders in the identity management and data protection space. The regulation was adopted by the European Union in April 2016, with enforcement slated to begin Friday. The rule -- which stands for the General Data Protection Regulation -- aims to give EU citizens and residents greater control over how their personal data is used.

Users will find that the right to have their data purged isn't applicable in all situations, while organizations will find themselves constrained on what information they can share with third parties even when the customer has consented to some data collection.

From the lack of a grace period to the need to avoid static compliance checklist, here's what 10 vendor and solution provider CEOs and technical leaders said are the biggest misconceptions around GDPR.

The Business Costs Of A Data Breach Are Far Greater Than Any Fine GDPR Can Levy

The cost of a data breach to a company's reputation, customer relationships, and intellectual property greatly exceeds any punishment authorities can pursue under GDPR, according to Marcus Brown, vice president of global channels for Waltham, Mass.-based Digital Guardian.

The architects of GDPR rely on fines to help incentivize businesses to behave in ways that better protect citizen data, Brown said. But despite all the talk about fines, Brown said the actual risk associated with losing data and intellectual property is much more damaging.

A data protection program can help businesses protect their information and get in line with compliance requirements such as GDPR, Brown said.

Compliance Isn't A One-Time Exercise

Being able to check a bunch of compliance boxes when the first day of GDPR enforcement rolls around isn't enough, according to Tim McIntyre, associate general counsel and data protection officer for San Francisco-based Okta.

"It's not a crash diet," McIntyre said. "It's a lifestyle change, and companies need to view it that way."

Instead, businesses must commit to doing all the necessary work to stay in compliance with GDPR beyond when enforcement goes live on May 25, according to McIntyre. And the stakes will only increase in the years ahead as other jurisdictions around the world pass legislation that's similar to or expands upon the key principles set forth in GDPR.

"I think it will be a landmark piece of legislation," McIntyre said.

Consent Requirements Will Actually Make Things Better For Marketing Leaders

Marketers fear that the stringent consent requirement around GDPR – which requires customer permission for emails of a promotional nature – will result in them losing all of their ability to talk to customers, according to Jim Kaskade, CEO of Portland, Ore.-based Janrain.

But when a user provides consent in context, Kaskade said is makes it possible for companies to become more relevant to the end users. Users that only receive messages they've consented to will be more trusting and and likely to transact with the business, according to Kaskade.

Although companies will no longer be able to contact some of the consumer identities they've acquired, Kaskade said the customers they care about the most are more likely to engage.

"At the end of the day, the CMO is not going to lose out," Kaskade said.

Even The Data That Firms Are Allowed To Collect Will Have Usage Restrictions

The idea of purging data when it's no longer needed has proven to be a different concept for organizations to wrap their heads around, particularly when it's in a data warehouse and being shared with third parties for mining purposes, according to Morey Haber, chief technology officer at Phoenix-based BeyondTrust.

For instance, Haber said most supermarkets are using loyalty cards to harvest information around what customers are buying and when they're buying it. But when it comes to sharing that data with the meat packer or cereal box manufacturer, Haber said grocery stores will likely find themselves more restricted than they imagined.

To address this issue, Haber said businesses need to inventory and tag their data so that they know where their sensitive data is and whether or not it contains the personally identifiable information (PII) that GDPR is most interested in.

Health care Organizations Will Be More Deeply Affected Than Financial Services Firms

If credit card information gets stolen and posted on the dark web, it's only worth cents on the dollar, according to Jaimin Patel, director of product management for provisioning at Lexington, Mass.-based Imprivata. But if patient records are stolen from a healthcare organization and end up on the dark web, Patel each said record would be worth tens of hundreds of dollars.

A stolen credit card can only be used so many times before the bad actor gets caught, Patel said. But patient records can indicate that a well-known figure is having a health issue that impacts their performance, livelihood or life expectancy, Patel said, allowing bad actors to, for instance, sell a company's stock if they know the CEO is going to be leaving due to an illness.

"Anytime somebody thinks about a data breach, they think about money," Patel said. "They don't think about patient records or patient data."

IT Administrators Could Find Themselves In The Crosshairs Of Regulators

Lots of the attention around GDPR has been focused around the end users since they're the ones processing the data, according to David Higgins, director of customer development, EMEA for Newton, Mass.-based CyberArk.

But the hidden layer of any organization are the IT administrators since they have access to the data needed to the keep the lights on and the systems running, Higgins said. For this reason, Higgins said attackers looking to steal data often target IT administrators rather than human resources or finance leaders since the former usually have access to more valuable data.

For instance, Higgins said a database administrator will likely have access to multiple databases that contain personally identifiable information, which has implications as far as GDPR is concerned. Organizations need to move from having this visibility unmanaged or uncontrolled to ensuring that IT administrators only have access at the right time for the right reasons.

Regulators Aren't Looking To Levy The Top Fine For Minor Mistakes

So much fear-mongering has taken place around the maximum GDPR fine of 20 million Euros or 4 percent of annual revenue that businesses now erroneously believe that regulators are going to come in, look for any minor issue of non-compliance, and fine the company as much as they possibly can, according to Jeremy Wittkop, chief technology officer at Greenwood Village, Colo.-based InteliSecure.

But the commission overseeing GDPR has stated from the beginning that these big fines are only for companies that are willfully non-compliant, Wittkop said. People who are trying are more likely to see a much smaller fine or a more collaborative effort to become compliant, according to Wittkop.

Organizations behind on GDPR should therefore do the easy stuff now such as gathering consent on web-based forms, Wittkop said, and then identify and gaps they have in their ecosystem and built a documented plan to fix those gaps.

A Static Checklist Won't Help Organizations Remain In Compliance

Using a static checklist to assess GDPR compliance when dealing with a dynamic IT environment and a security landscape that's changing daily is a non-starter, according to Matt Smith, vice president of worldwide channels for Ann Arbor, Mich.-based Duo Security.

Far better is adopting a risk-based framework that understands how critical applications are being accessed and assesses the risk posture for applications, users and devices, Smith said. This provides organizations with a more holistic view of security, access control, and how to maintain compliance in a versatile way that doesn't have a company re-architecting every three months, Smith said.

Organizations should therefore use GDPR as an impetus for having crucial conversations about what it means to have effective data privacy and security within a company, according to Kendra Mitchell, Duo's assistant general counsel.

There Will Be No Grace Period After The Enforcement Deadline

Many businesses believe that GDPR begins on May 25, which isn't really true, according to Paul Kendall, advisory service principal at Houston-based Accudata Systems, No. 200 on the 2017 CRN Solution Provider 500. But GDPR has actually been in effect since April 2016, Kendall said, with companies given a two year window to work through compliance issues.

Many US companies, however, believe there will still be a grace period beyond May 25, even though the European Union has said otherwise, Kendall said. Having said that, Kendall believes it's unlikely any smaller company will fall under GDPR scrutiny right away unless they suffer a breach.

Kendall said the European Union is likely to begin GDPR enforcement by auditing certain larger American companies that have been a focus of their ire.

Users Will Struggle With Getting Firms In Highly-Regulated Areas To Delete Their Data

An interplay exists between GDPR and other existing regulations that require the retention of records, according to Greg Wolfond, founder and CEO of Toronto-based SecureKey Technologies. Specifically, Wolfond said that GDPR isn't intended to tell banks or telecom companies to get rid of user data since they're already under regulation as to what they can and cannot do with data.

GDPR is much more focused on how organization use and share customer data and what they're allowed to share with or without a user's consent. For instance, Wolfond said banks have a legal obligation to maintain records for a certain period even for customers who have closed their accounts since tax authorities or other parties might come in.

The regulation is more focused on getting customer consent for sharing user information with third parties, according to Wolfond.