Optimism over GDPR preparedness may be unfounded
On May 25th, the EU’s General Data Protection Regulation (GDPR) will come into effect. Businesses operating in or with the EU have had just over two years to prepare since the regulation was approved in April 2016.
A February 2018 survey by EfficientIP shows an optimistic attitude toward compliance: 84% of US businesses and 74% of UK businesses are confident that they are prepared for compliance. This in stark contrast to last year, when a Varonis survey revealed that 75% of respondents across the UK, US, France and Germany thought they would “face serious challenges” in complying with the GDPR.
Most data compliance until now has centred around ‘PII’; Personally Identifiable Information. This is an accepted legal term, particularly in America, for information which can identify a specific individual; a phone number, an email address, a social security number, for example. The GDPR does not use the term PII directly, but does set out the definition of “Personal Data”. The GDPR defines Personal Data as “any information that relates to an identified or identifiable living individual”. As such, there’s a significant overlap between the two terms, and in most discussions they’re used interchangeably.
The GDPR stipulates that certain breaches of a customer’s Personal Data must be reported to a supervisory authority within 72 hours; if the data breach involves a high risk to the customer’s “rights and freedoms”, that customer must also be informed. Fines for non-compliance are up to €20 million (about $24.6 million) or 4% of a company’s global turnover. Needless to say, this is a strong motivator for any company operating within the EU, and US businesses have spent an average of $1,417,000 preparing for the GDPR.
However, businesses may be getting overconfident. GDPR compliance requires that adequate steps be taken to prevent a data breach; but any data breach that occurs indicates by definition that the prevention was not adequate. Even if the breach is reported to all required parties in the correct timeframe, it still leaves an onus on the business to prove that their prevention measures were strong, and the loss of data could not have been foreseen.
This might not sound like a huge issue. At face value, all a company has to do is process PII as required by the regulation, employ an adequate level of protection, and report any breaches on time.
However, Ireland’s Data Protection Commissioner Helen Dixon, in an interview published by the Irish Independent, suggested that any confirmed security breach would likely be treated as a violation of the GDPR, saying “…where a breach has occurred and it's not contested that it has occurred, they'll likely be a presumption of an infringement of the GDPR in those circumstances.”
It’s especially important to pay attention to Helen Dixon and her office’s stance on GDPR enforcement: Ireland houses the European headquarters for many US-based corporations. Dublin’s Silicon Docks area alone houses the international HQs of such giants as Google, Facebook, Twitter, Amazon, LinkedIn and Dropbox.
She goes on to say: “One of the other things we would have to take into account is whether the controller had applied every last safeguard, state-of-the-art security measures and taken every conceivable action possible…We haven't, I suppose, come across a company to date in the course of our investigations where we could say 'Well, they've had state-of-the-art processes and systems and taken every last action that was possible’”
This implies that a company’s best appeal in the case of a data breach is to show that there was nothing more they could have done to prevent it – but taking “every last action that was possible” is, paradoxically, as good as impossible. Given the sheer quantity of data security solutions, services and products on the market, it’s not financially or logistically viable for a company to implement every last one of them. In the event of any breach there will always be “something” more that could have been done.
Even with high security, there many potential breaches that can never reliably be predicted. It might be relatively easy to show that a company is protected from external attacks, like ransomware or phishing, but breaches originating from employees are much less transparent. The 2015 Grand Theft Data study found that 43% of data breaches were caused by employees, half by accident and half on purpose. Even with data protection training implemented, accidental breaches are next to impossible to detect or prevent; it only takes a single staff member sending PII out over email or uploading it to shadow IT, or even taking it out with them on a physical device like an unencrypted laptop or storage drive, and the data is no longer secure. A single slip-up by an individual or missed patch by IT (think Equifax) and the company is accountable under the GDPR.
In security terms, the only way for a company to prepare for a breach is to be prepared to respond to the breach when it inevitably happens. With the GDPR in effect, response is not enough for compliance. Businesses could be facing millions in fines for every failure; 75% of respondents in the 2017 survey believed that these fines could be crippling for some organizations.
If the cybersecurity industry cannot adapt for the GDPR by providing perfect, watertight security –which it cannot – then industry will have to adapt to the seemingly inevitable GDPR violations in some other way.
In the next blog, we’ll examine whether cyber insurance is the best, if not only, method of preparing for GDPR.