Tech experts discuss the four-year anniversary of GDPR

Yesterday (Wednesday 25th May, 2022) marked the four-year anniversary of the enforcement of GDPR in the UK. Compliance with the EU data privacy regulation remains an ongoing challenge for organisations, as does raising cybersecurity expectations and threats to personal data.

The anniversary provides the opportunity to reflect on what has been successful since GDPR was first implemented, what needs more improvement, and how the government’s new legislation could change GDPR practices in the future.

The data challenge

From the moment GDPR was first introduced, it hasn’t always been straightforward for businesses. Ricardo Ferreira, CISO EMEA, Fortinet, outlines some of the challenges. “Organisations have found themselves in muddy waters trying to navigate their way through new policies like the Trans-Atlantic Data Privacy Framework (a replacement for the EU-US Privacy Shield), Data Governance Act and Digital Operational Resiliency Act (DORA), so not to get stung by fines for non-compliance.”

Ferreira argues that “without a holistic view and overarching strategy that takes into account all parties’ needs and concerns, we find ourselves facing a fragmentation in data policies. As such, organisations must take control and ensure they are taking the right steps to best protect their customers’ data.”

He believes that the first step in protecting data should always be “ensuring that any Personally Identifiable Information (PII) data an organisation touches is secured from the moment it enters the business’ network to the moment it leaves. This includes applying security measures and policies that can seamlessly identify, follow, and secure data as it moves between network domains and devices, as well as across the extended network.”

Paulo Henriques, Head of Cyber Security Operations, Exponential-e, shares Ferreria’s sentiment on the importance of protecting PPI, as if data is exposed, he believes “a GDPR breach would be highly likely.”

Henriques continues: “Data about each and every one of us is now being collected at a phenomenal rate, largely thanks to the rise of smart cities and buildings, powered by IoT devices that make up their infrastructure. The vast realms of data they generate are crucial to making smart cities a reality – and ultimately benefit society – but security measures must keep pace if our data is to remain secure.”

Despite we’re now four years on since the introduction of GDPR, Henriques believes the risk continues to grow as thousands of devices are added to networks without the appropriate controls. He explains: “Comprehensive data privacy and security strategies are a must for any smart city development in that context, and that’s where cyber security experts have an integral role to play. They should take the lead on engineering and embedding security management systems that mandate that all data collected from “zero trust edge devices” is moved onto secure IT platforms as soon as it’s generated.”

Encrypted traffic analysis

It’s clear data safety has been an important priority for many businesses across the country, with the risk of substantial fines looming over them. Hiten Mistry, CRO, Venari Security explains end-to-end encryption has increased worldwide as a result of GDPR. “Many companies now support TLS 1.3, a robust encryption standard that helps to provide complete end-to-end encryption. This level of encryption is essential for any company that handles sensitive data.

However, Mistry argues that while encryption has helped ensure privacy and regulatory compliance, it has also introduced a new problem for enterprises. “Those attackers that can breach an organisation’s perimeter are increasingly hiding malicious activity within legitimate encrypted network traffic. This presents a significant and challenging blind spot for security teams.”

Mistry believes that the only way organisations can hope to keep up in this environment is if they can “monitor for anomalous and potentially malicious activity in their traffic without relying on decryption.” To achieve this, Mistry explains that “security teams must shift their approach towards using encrypted traffic analysis to identify suspicious connections. Only then can they be confident that they know what is happening within their encrypted traffic flows.”

Security teams have an important role to play when it comes to managing data for GDPR compliance, but the onus shouldn’t just be on them. Adam Mayer, Director, Qlik, believes that “businesses need a clear strategy on how they can democratise employees’ access to real-time data while ensuring that the insights can be trusted and that access is appropriate to their role.”

A recent study from Qlik found that nearly all global business leaders (90%) say that data enabled them to better navigate the uncertain business environments created by the pandemic. This sentiment is also important in the context of GDPR and protecting data in the future.

Looking ahead to the future

The announcement of a new Data Reform Bill in the Queen’s Speech outlined the Government’s plans to reform GDPR legislation in the UK. On the face of what has been announced so far, the Bill aims to shift the focus of data protection legislation to privacy “outcomes” rather than, what the Government calls, administrative box-ticking.

While the policy is still to be ironed out, it could help businesses in the long term. Qlik’s Adam Mayer explains that while any immediate reduction in paperwork would undoubtedly be welcomed by businesses, the Government has a tough balancing act to walk. “People now have higher expectations regarding the protection of their personal data, so it is important that any changes to reduce compliance processes are not seen to be a weakening of data protection.”

Mayer explains that the more the new Bill diverges from the GDPR, the more barriers to trade may emerge with the EU, the UK’s largest trading partner. “This divergence may make cross-border personal data transfers with the EU more challenging, adding to the paperwork requirements for those transfers. The devil will be in the details of any final Act, but while the Government’s aims are laudable in trying to focus on outcomes, this may be perhaps best addressed through enforcement policy by the ICO, rather than any watering down of the current Data Protection Act rules.”