GDPR: More Bad News as Firms Struggle to Interpret New Law

by Bharat Mistry

The EU General Data Protection Regulation (GDPR) is a lengthy piece of legislation, even by European Commission standards. If nothing else, this drives home just how far-reaching and detailed it is. Yet many organisations currently grappling with compliance find it frustratingly short on some of the most important details. New Trend Micro research has found that confusion over some of the key terms in the legislation could mean many aren’t implementing the right cyber-security technologies to keep them compliant.

Layered security is the only way to ensure maximum threat protection, although we’d also encourage regulators to ease the compliance burden by providing more clarity to organisations.

State of the art
Part of the problem lies with the oblique language used in the GDPR. One of the most important parts of the regulation from a security perspective is Article 32, which has the following:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

Now, it’s true that the legislation does go on to describe these “risks” — accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to customer information. However, there’s little in the way of extra info aside from the fact that pseudonymisation and encryption technologies should be applied to the data.

This is proving to be a problem, according to a Trend Micro poll of over 1,000 IT decision makers around the globe. We found them unable to agree on what “state of the art” actually means. Here are some of the main answers:

  • Security from an established market leader (30%)
  • Products that have passed independent third-party tests (17%)
  • Products highly rated by analysts (16%)
  • Start-ups providing innovative tech (14%)
  • Not sure (9%)

Even more worryingly, 12% claimed cost is a bigger driver than “state of the art” tech.

This lack of clarity has resulted in a somewhat disjointed approach. When asked what precautions they had taken to protect customer data, a third (34%) claimed they had advanced network-level controls in place to spot intruders, but almost the same number (33%) had bought DLP in, while 31% had put encryption in place and 29% said they had hardware locked down to prevent infected USB sticks.

The 72-hour window
That’s not the only issue uncovered in the report. The GDPR mandates organisations inform regulators about a data breach within 72 hours. Yet less than two-thirds (63%) of global organisations claimed they have notification process in place for their customers, while a fifth (21%) said they are able to inform their data protection authority but not customers — contravening a key requirement of the regulation.

It’s clear that there’s still plenty of work to be done before organisations can feel like they’ve done enough to achieve compliance. Trend Micro advocates a layered approach to security which features a blend of threat prevention tools and techniques, all centralised to minimise admin headaches and sharing the same global intelligence. With that kind of joined-up defence-in-depth approach you stand the best possible chance of mitigating the risk of data loss — although technology must be backed up by well thought-out security policy.

In the meantime, the likes of the Information Commissioner’s Office (ICO) would do well to help organisations by clarifying some of the more nebulous parts of the GDPR. It appears to have been drafted to avoid naming prescriptive technologies, in part so that it can stay relevant for years to come, even as technology evolves. That’s all very well, but it is becoming increasingly frustrating for compliance teams. More on GDPR compliance here.

Leave a Reply

Your email address will not be published. Required fields are marked *