10 Security Experts On The Biggest Danger Businesses Face From GDPR

Highway To The Danger Zone

The General Data Protection Regulation was adopted by the European Union in April 2016, with enforcement slated to begin Friday. The rule aims to give EU citizens and residents greater control over how their personal data is used.

Stringent breach notification requirements, getting a handle on unstructured data, and carrying out a user's right to be forgotten while guarding against misuse are some of the biggest obstacles all companies will have to overcome to remain in compliance with GDPR.

Under GDPR, organizations may find they're being audited as part of another company's supply chain or may have to deal with the public-relations fallout from trying to cover up a bad incident. They also will have to avoid classifying too much of the customer data they possess as being critical to the business.

From being unable to quickly delete customer data to having to disclose breaches before understanding the full scope, here's what 10 vendor and solution provider CEOs and technical leaders said are the biggest risks businesses face from GDPR.

Audits That Result From Being Part Of A European Firm's Supply Chain

The real short-term risk around GDPR is when an audit of a business takes place because it is part of a European company's supply chain, according to Chris Koch, director of regional channel sales in North America at Austin, Texas-based Forcepoint.

If a business is unable to demonstrate privacy by design and that the proper controls are in place, Koch said it risks getting booted out of the supply chain since it is putting another company at risk of not being GDPR-compliant.

If a business fails to do an audit of its supply chain and there's a breach that began with one of its suppliers, Koch said the business is still on the hook for the fine.

Bad Actors Using Data Purging Rights To Cover Up Their Tracks After A Crime

Users asking to have their data purged could be covering up evidence history or a data trail that potentially could be used to capture them if they were engaging in malicious behavior, according to Morey Haber, chief technology officer at Phoenix-based BeyondTrust.

If people methodically ask companies to purge their information after engaging in criminal behavior, Haber said this could result in the erasure of the digital forensics needed to find and prosecute the bad actor.

"It makes it hard for the police or law enforcement if the data isn't there," Haber said.

Organizations need to be allowed to keep seat information, cell records, forensic data or some type of audit trail so that law enforcement has something to retrieve if necessary, Haber said.

Being Unable To Quickly Or Easily Delete Customer Data

The requirement to be able to delete data from an account or delete the account altogether upon a user's request will be a significant challenge for companies, said Nick Caley, vice president of financial services and regulatory at San Francisco-based ForgeRock.

Following a data breach, organizations will face thousands of requests from users to have their data deleted, which Caley said will be very difficult to do since they're also attempting to recover from a cyberattack. The process is also bound to be very time-consuming and manual if functions haven't been automated, Caley said.

Organizations can automate their master data management capabilities by synchronizing personal data into one master identity record, Caley said. This should make it a lot more straightforward for companies to delete user data within a very short time frame, according to Caley.

Classifying Too Much Data As Being Critical To The Business

Companies will try to resist requests to delete a user's personally identifiable information by deeming it critical to regulatory support and the ongoing sustainment of the business, according to Derek Small, founder and CEO of Calgary, Alberta-based Nulli Identity Management.

These companies will often try and claim that a user's data is secure since it has been encrypted, Small said.

Organizations operating in the European Union tend to be pretty on top of regulations, Small said, but things start to break down when they try to reapply the same procedures to their own operations in the U.S., Canada or other non-European location.

Having To Disclose Breaches Before Understanding The Full Impact

Once there's recognition that something bad has happened, organizations like to get everything closed off and understand the scope of the problem before publicly announcing it, according to Paul Trulove, chief product officer at Austin, Texas-based SailPoint. As a result, Trulove said there's often a long gap between when a breach is detected and when it's announced both internally and externally.

Trulove expects any fines that come based on GDPR to result from people not doing a good job of adhering to the timely disclosure portion of the regulations.

Organizations can speed up their response capabilities by running through cross-functional breach simulation scenarios and figuring out how everyone from legal and IT to marketing and public relations will respond, according to Trulove.

Notifying Authorities Of A Breach Within 72 Hours

Breaches historically have been kept more quiet than they'll need to be in a GDPR world, with companies remaining mum for months or even years after they've been hit, according to Barry Scott, CTO of EMEA for Santa Clara, Calif.-based Centrify. But now, Scott said they'll be required to give notification much more quickly.

"It is going to be a change for people to notify of breaches within 72 hours," Scott said. "And it's going to be quiet challenging for them to do so."

Scott expects to see businesses focus more on the technology needed to stop breaches in the first place so that they don't have to go down this road at all. Organizations can reduce the likelihood of attacks through common vectors such as phishing by adding multi-factor authentication, Scott said, and minimize the impact of any breach that does occur by restricting user and administrator privileges.

Relying On Reporting Rather Than Prevention Tools To Deliver Compliance

Reporting tools often give organizations a sense of security that they would have a way to go back, review and manage something bad that has happened, according to Jaimin Patel, director of product management for provisioning at Lexington, Mass.-based Imprivata.

But reporting after the fact isn't the same as preventing the access that caused the damage in the first place, Patel said. Proactive monitoring is still important for knowing what's going on so that an organization can take action right away, according to Patel.

Patel said identity governance and access management tools will make it easier for companies to proactively take steps to avoid being attacked. For instance, Patel said these tools might require additional or multi-factor authentication for a physician that's outside a hospital and attempting to access patient data.

Reputation Hit If Regulators Decide To Publicize A Breach

Some companies in the U.S. are banking on the fact that they don't think GDPR can be enforced against them since the international jurisdiction piece hasn't yet been figured out, according to Jeremy Wittkop, chief technology officer at Greenwood Village, Colo.-based InteliSecure. Specifically, Wittkop said these businesses believe they can't be taken to court in Europe if they're a U.S.-based entity.

But GDPR ensures the right to collect and publicize information about a breach, Wittkop said. Businesses therefore need to not only look at the legal ramifications of this, Wittkop said, but also the public-relations nightmare that could result from being noncompliant.

Understanding Who Has Access To Sensitive Information

Organizations need to understand how vulnerable they are and strengthen controls to ensure they're giving access to the right people at the right time, according to Nupur Goyal, product marketing manager at Ann Arbor, Mich.-based Duo Security.

Today, Goyal said many organizations lack an understanding of how many unmanaged devices are accessing their information, as well as the number of people using their roles to access an application.

It's really important for companies to understand who has access to what, Goyal said. Organizations should use GDPR as an opportunity to put controls in place to restrict access of people who don't need visibility into particular applications, according to Goyal.

Wrapping A Company's Arms Around Unstructured Data

North American customers have primarily focused their GDPR compliance efforts around systems such as Salesforce or others that have structured data sets, according to Dave Packer, vice president of product and alliances marketing for Sunnyvale, Calif.-based Druva. But Packer said the reality is that companies retain information from lots of unstructured data sources as well.

As recently as a half-decade ago, Packer said employees typically kept corporate data locally on their machines or had file shares or folders within the company's own systems. But nowadays, employees are relying on Box, Salesforce, Google, Office 365 or other third-party applications, which is creating a big hole for companies.

This has created a challenge as far as GDPR is concerned, with unstructured data spread across a much broader data landscape, Packer said. As a result, Packer said IT companies have struggled to get their arms around the data even though they're responsible for stewarding it to remain in compliance with GDPR.