We’ve been talking about the levels of panic in U.S. boardrooms over the big, scary GDPR, which is now here and has been ruling data privacy with an iron fist all summer. Journalists at places like Inside Big Data have reported “Y2K-levels of hysteria” as American businesses try to read the tea leaves, or, convinced of the GDPR’s teeth, take quick steps like appointing Data Protection Officers and figuring out who their Supervisory Authority is.
The GDPR went into effect this May, and it is now mandatory for companies to comply. This has U.S. companies wondering about how they can quickly scale this “Mount Everest” of regulation, and what happens if they don’t.
Key GDPR RequirementsThe GDPR is directing change in U.S. companies in some big ways.
It’s leading businesses to change staffing models, with the creation of specific DPO liaisons, and it’s leading to a lot of IT procurement in order to satisfy its mandatory reduction of dwell time to under 72 hours for any hack that constitutes a data breach. The GDPR makes it even easier for a lone wolf hacker or international bad actor to induce bone-chilling fear in a CTO.
Also, as pointed out in other coverage of the new law, the GDPR, by expanding the rights of individual consumers, is introducing new “unfunded mandates” in terms of accommodating customers. Take the infamous “right to be forgotten” enshrined in Article 17 – that’s great for consumers, but it’s a tall order for a business that may not be able to act on a dime to easily erase all of that collected data.
When it comes to the pipeline, and the bare metal underneath it, the hard and fast data handling requirements of the GDPR are impacting U.S. firms. ComputerWeekly helps shed light on how this regulation is going to force an enterprise to re-think its storage system, describing such lofty aims as application-to-storage mapping and end-to-end encryption. To paraphrase, encryption must be done whenever it can – but what about when it can’t?
The EnforcersThere's also another major aspect of the GDPR that is confounding American companies. That's the elements of the rule that have to do with direct enforcement of cybersecurity, which is one pillar of the GDPR, and privacy, which is the other.
To be GDPR compliant, companies have to register with an entity called a ‘Supervisory Authority’ – and this is where things get tricky. For companies in E.U. member states, the chain of authority is clear. They register in that country.
For a U.S. company that serves customers in one or more Eurozone states, it gets more difficult to figure out how to report to the Supervisory Authority as specified in the law, and how that channel of communications will work.
In that context, let's look at some of the security strategies companies are using to adapt.
The Value of Software-Defined AccessU.S. companies are continually getting more nervous about malware, spearphishing, Trojan horses and all sorts of hacking. Again, that’s partly because of the new threats they face from EU regulators if anything goes wrong.
Just in time, another new cutting-edge cybersecurity innovation is appearing on the horizon. It's the idea of isolation or software-defined access.
In this new paradigm, network traffic isn't allowed to just stream in from the Internet and penetrate a firewall. There is a specific software vetting process that goes on in the outer layer of the network. This idea had its genesis in the software defined networking concept, where more of what the network did started to be automated.
These days, companies can utilize software-defined access services that will effectively contain and isolate all incoming traffic until it's thoroughly evaluated, monitored and authorized – and then it can make its way into the network. It's easy to see the evident cybersecurity benefits of this kind of policy. Companies no longer need to fear that random malware attack or version exploit.
What does this have to do with the GDPR? Well, companies that don't have these kinds of services in place have a very real and present data breach threat. Hacking is taking down big companies one by one, and wreaking havoc in various industries, for example, in retail and in finance, where a breach can have disastrous results such as identity theft.
By contrast, a company that has a software-defined access infrastructure can be virtually guaranteed that many of the most common types of hacking will not result in a data breach. That said, their data breach plan can be much simpler and much more of a theoretical safeguard than a very immediate concern. That can help with mandatory reporting and all sorts of other cybersecurity goals and objectives.
For more information, contact Safe-T about its software-defined access services.