Safer, Cheaper and Defter

Why must companies comply with GDPR policies?

Blog Safer, Cheaper and Defter

| 4 min read

Contact us

May of this year marked the third anniversary of one of the most important legislative implementations of the last decade: The General Data Protection Regulation (GDPR). In Fluid Attacks, we have talked a little about what GDPR is, but today we want to dedicate a particular blog post to talk about what it has achieved, why it is essential and, above all, how it has affected you directly.

gdpr-logo

Figure by SNEL.

What is the GDPR?

The GDPR "is the backbone of the EU’s data protection and privacy legislation." Its main objective is to strengthen privacy laws across the European Union to fit the digital age. This legislation updated and unified data privacy laws, by replacing the 1995 EU Data Protection Directive, a policy designed for the last millennium.

The law was published in the European Parliament legislative act 679 on 27 April 2016. Its main premise is that "the protection of natural persons in relation to the processing of personal data is a fundamental right." Before its creation, the running data protection standard law was the 1995 EU Data Protection Directive. Rules established there did not have a global or general range, but they must be “ implemented through national legislation.” Previously, personal information management legislation was not standardized, though there were some guidelines. Before the 2000s, personal information used to be stored on massive shelves full of documents. Today most of that information is digital. Therefore, it is urgent to establish rules of the game for large companies that privately store data.

As we shared in our GDPR Compliance section, this policy was approved by the European Parliament on 14 April 2016 and went into effect on 25 May 2018. Almost the entire approach revolves around a set of rules designed to protect personal information from unnecessary risks by specifying how companies should store, handle and share such data. It was approved by the European Union (EU) and the European Economic Area (EEA). The regulation applies to companies that have operations in the EU and that process personal data. Besides, it doesn’t matter if the holding company activities take place in the Union or not. Any company in the world with customers or employees in the EU must comply with GDPR.

GDPR requires organizations to understand better what data their businesses have and how it is stored. In another blog post, we talked about this when we explained the controversy over the opening of the Apple Data Center in Guizhou, China. The point is that this increased understanding proactively helps streamline detection and response in the event of a costly security incident (like a data breach). Of course, beyond the legal need to comply with the standards called for by the GDPR, there is a necessity to make companies safer from cybersecurity breaches.

GDPR compliance

A company committed to GDPR compliance proactively identifies vulnerabilities and prepares autonomously to validate the security of their trade of personal data. One of the ways in which companies would fulfil the GDPR’s privacy requirements would be by reducing the amount of unneeded information. In this sense, companies "shouldn’t hold data they don’t need for longer than they need." This strengthens the company’s security and reduces storage costs, as there is less data to store.

Get started with Fluid Attacks' Security Testing solution right now

Along with these commitments, the company must (a) identify personal data and evaluate their access permission, (b) corroborate that they are asking for explicit consent to use others information, and (c) be sure to process data following legal support. Besides, they must strengthen security, reduce risks of attacks, and transmit trust. One such situation is the regulation of passwords. Nowhere in the document is a rule that explains what kind of security filters a password should have.

However, that doesn’t mean it’s a minor issue or that you can’t establish a rule of your own that is in line with what the GDPR requires. The Hacker News, for example, recently published a list of recommendations that should be considered "to create a GDPR compliant password policy." Their most important recommendations are (a) avoid secret questions, (b) consider implementing multi-factor authentication (MFA), and (c) "use a 3-rd party tool to help your password policy reach your entire end-user directory."

Fluid Attacks's GDPR compliance

For example, we at Fluid Attacks use Okta as our identity management platform. It allows us to give access to applications without disclosing credentials and maintaining the least privileged approach. It is a very comprehensive tool because it supports MFA by using a one-time password (OTP). Every half minute, it generates a new OTP. You can also send push notifications to your trusted device (usually your phone) through its Okta Verify app. Finally, because you must use your phone to sign in to the Okta Verify app, it enforces biometric MFA for both face and fingerprint (if the device supports it).

At Fluid Attacks, we recognize the difficulty many companies have to be up-to-date with every standard. It is not because they don’t want to be updated, but because those standards are always evolving and adapting to new day’s challenges. That’s why, when we offer security alternatives, we always offer services to determine if your company complies with this type of security requirements. To achieve this, not only do we care to fully understand the core points of standards such as GDPR, but we strive to disseminate them and explain them to our customers, and to the general public.

GDPR personal data

Figure by TechTarget.

Problems with GDPR?

Finally, it should be noted that GDPR has not been exempt from controversy. On 1 July, Johannes Caspar, a leading German regulator who worked for more than ten years at the helm of the Hamburg data protection commission, stepped down. His disillusionment with the EU’s General Data Protection Regulation stemmed from the fact that the policies allow, precisely, security weaknesses and flaws.

In a Bloomberg report, Caspar said:

The basic model of the procedure set up by GDPR has massive flaws and it just can't work. You can't accept this in the long term. The problem is what use are these laws to the people if they're not being applied?"

His criticism is based in two situations. First, companies that did not comply with GDPR policies had been estimated to have penalties. These were set out in article 83 (5). It states that infringements shall be subject to administrative purposes “up to 4% of the total worldwide annual turnover." But to date, no company has come close to paying that penalty. Second, GDPR gives regulators lots of room for interpretation" of the rules. Which makes it onerous to verify law enforcement.

Precisely, to fulfill the GDPR purpose, a change in the appropriation of individuals and companies of these policies is required. They should not be seen as an imposition but as guidelines to preserve data security and privacy. That is why you should take GDPR seriously as a guide to strengthen your security and save money.

At Fluid Attacks, we are specialized in cybersecurity through Pentesting and Ethical Hacking. For more information, don’t hesitate to Contact us!

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Clay Banks on Unsplash

Protecting your PoS systems from cyber threats

Photo by Charles Etoroma on Unsplash

Top seven successful cyberattacks against this industry

Photo by Anima Visual on Unsplash

Challenges, threats, and best practices for retailers

Photo by photo nic on Unsplash

Be more secure by increasing trust in your software

Photo by Dmitry Ant on Unsplash

How it works and how it improves your security posture

Photo by The Average Tech Guy on Unsplash

Sophisticated web-based attacks and proactive measures

Photo by Randy Fath on Unsplash

The importance of API security in this app-driven world

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.