Data protection is a hot topic, especially after the Facebook and Equifax debacles. However, it has always been the subject of serious attention by enterprise security executives and compliance officers.

The Facebook and Cambridge Analytica scandal is a good example of the consequences of mis-utilisation of data and also reminds us of the need for strong data regulation laws rather than self-regulation or guidelines. The dilemma of government control vs. private control on public data has always been a matter of debate and will continue to be so. However, GDPR will bring a multitude of checks and a control on organisations who are responsible for holding public data.

GDPR (General Data Protection Regulation) will play a crucial role for both the organisation and consumer by helping restore the faith lost in organisations that use personal data. It means implementing strict rules for organisations and backs this up with potentially serious consequences in cases of noncompliance and violation. GDPR compliance demands more than basic data-loss prevention or just post-data-loss reporting. It also demands that organisations set pre-defined protocols and precautionary measures to prevent data-loss in the first place. It also advises organisations on using predictive tools to anticipate attacks and take appropriate action against the exploitation of potential vulnerabilities.

GDPR enforcement:  When and on Whom?

• Starting 25th May 2018, GDPR will be enforced on all organisations who have offices operating in the European Union (EU), do business in countries in the EU, even if based elsewhere, or firms that are directly or indirectly involved with data management concerning EU citizens. Basically, all organisations that are involved in processing, storing, or transmitting personal data of EU citizens will be obliged to comply with GDPR irrespective of where they are based.
• In addition, this regulation replaces Data Protection Directive 95/46/EC and adds various clauses, checkpoints which are far stricter than earlier Data Protection Directives.
• It also broadens the definition of data protection and the type of data that is regulated to include genetic, medical, economic, cultural, and social data.
• GDPR will evaluate data protection and the overall level of security to determine whether the organisation is covered by the GDPR regulation.

Key GDPR challenges

Key challenges with the new GDPR regulations:

• Under GDPR, regulations are complex, with close to 500 requirements that will affect governance and cyber-security.
• It is mandatory for organisations to notify authorities within 72 hours of becoming aware of any breach. This demands better data breach detection and fast response capabilities. However, many organisations are currently struggling to identify and investigate data breaches within the given time frame, which leads to visibility gaps that delay investigations. Also, non-standardised processes and lack of efficient analytics to detect anomalies further impact the time frame.
• Implementation of GDPR must start from the initial development stage of applications. It will be mandatory for all developers to add an extra layer, to test for vulnerabilities, as application vulnerabilities could lead to accidental or unintentional data loss. Application developers need to reconsider risk and privacy during the design process, and security professionals need to find better ways to protect applications in use today.
• Violations enforced by GDPR across 28 different EU countries will be up to €20 million or 4 percent of the company’s worldwide annual revenue, whichever is greater. Hence, small-scale companies will face concerns on potential fines in case of violations. In addition, penalties have been discussed separately in the GDPR, which also include:
  1. Penalties for noncompliance of customer consent clause.
  2. Penalties for noncompliance of maintenance of records.
  3. Penalties also apply to both controllers¹ and processors². Hence, cloud providers are not exempt as they can be data processors.
• The adoption of these regulations will not only increase the overall data management and cloud services costs to organisation, but can also increase things like the IoT services cost per device, which, up until this point, have been relatively low. Chinese global players especially will need to ensure IoT modules are embedded with keys (hardware security) to ensure authentication and strong cloud security.

Consumer Consent:  A lawsuit against Vizio for snooping on users’ viewing habits and settled only for $2.2 Million. However, under GDPR penalties and implications of such scenarios will be far higher.

• Starting in 2014, Vizio made TVs that automatically tracked what consumers were watching and transmitted that data back to its servers. Vizio went one step ahead and retrofitted older models by installing its tracking software remotely. All of this, the FTC and AG allege, was done without informing consumers or getting their consent.
• Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content. Vizio also identified viewing data from cable or broadband service providers, set-top boxes, streaming devices, DVD players, and over-the-air broadcasts which contributed to as many as 100 billion data points each day from millions of TVs.
• Vizio sold the consumers’ viewing histories to advertisers and personal viewing habits to content providers. The company even provided consumers’ IP addresses to data aggregators, who then matched the address with an individual consumer or household. Vizio’s contracts with third parties prohibited the re-identification of consumers and households by name but allowed a host of other personal details – for example, sex, age, income, marital status, household size, education, and home-ownership. Vizio allowed these companies to track and target its consumers across devices.
• Vizio had to pay $2.2 million to settle a lawsuit, which alleged that the company was secretly collecting user data and selling it to third parties.
• Were this case to have been in the EU and under GDPR, the penalties would have been more severe.

Source: Federal Trade Commission v. Vizio Inc. (No. 2:17-cv-00758) 2017

What does GDPR bring to the table?

• IoT applications and solutions will generate huge data, some of which can be personal data. The sustainable growth of the IoT ecosystem will depend on securing this data. The implementation of GDPR will play a crucial role in the smooth growth of the IoT ecosystem.
• GDPR is changing the level of awareness on customer data protection and increasing accountability on collecting customer data. As well, boosting confidence within the consumer community and reputation of the organisation.
• Standardisation of security policies with a strictness on data protection practices that will lead to organisations’ preparedness with requirements and preparation for core-business plans. However, the major goal of GDPR is not only to provide “ready to use” guidelines for the organisation, but also keep day to day checks on the organisation to ensure that they opt for notification of data loss over the good press.
• The race of digitalization has already pushed many organisations to adopt cloud-based data management. However, most of this data is stored either without encryption or lack of multi-factor authentication to access cloud services. However, after the GDPR implementation, all these organisations will be accountable, not only in case of loss of data, but on protocols and methodology of data protection.
• GDPR will not only develop a governance framework for the program and assist with technology implementation activities, but it will also become a marketing and advertising buzzword for cyber-security solution providers.

Outlook:

Data use has the power to potentially change the viewpoint of a nation and influence personal choices that go beyond the concern of privacy. Going forward, data will be among the most valuable assets and its protection will be mandatory. The rate of attacks for data acquisition will always tend to increase. However, regulations like GDPR ensure that organisations will pay attention to security. Together with GDPR and other compliance regulations, governments and industry authorities, such as the National Institute of Standards and Technology (NIST), are stepping up to enforce privacy, safety and security regulations on IoT manufacturers. Moreover, the enforcement of GDPR has already created a ripple effect across the world, for example, China’s Personal Information Security Specification has already been implemented from 1st May 2018 and the formulation of India’s Data Protection regulation law is already in motion.

The industry is analysing advantages and disadvantages of GDPR. However, we believe it will push organisations to add an extra level of security, which some considered an unnecessary expense. The major changes in terms of organisational budgeting of data security and staff training on data protection will be mandatory. Overall, GDPR will keep organisations on their toes – the potential costs of getting it wrong have just become much greater.

1 Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

2 Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.