Safer, Cheaper and DefterWhy must companies comply with GDPR policies?
May of this year marked the third anniversary of one of the most
important legislative implementations of the last decade: The General
Data Protection Regulation (GDPR). In
Fluid Attacks, we have
talked a little about what GDPR is, but today
we want to dedicate a particular blog post to talk about what it has
achieved, why it is essential and, above all, how it has affected you
Figure 1. Figure by SNEL
What is the GDPR?
The GDPR "is the backbone of the EU’s data protection and privacy legislation." Its main objective is to strengthen privacy laws across the European Union to fit the digital age. This legislation updated and unified data privacy laws, by replacing the 1995 EU Data Protection Directive, a policy designed for the last millennium.
The law was published in the European Parliament legislative act 679 on 27 April 2016. Its main premise is that "the protection of natural persons in relation to the processing of personal data is a fundamental right." Before its creation, the running data protection standard law was the 1995 EU Data Protection Directive. Rules established there did not have a global or general range, but they must be “ implemented through national legislation.” Previously, personal information management legislation was not standardized, though there were some guidelines. Before the 2000s, personal information used to be stored on massive shelves full of documents. Today most of that information is digital. Therefore, it is urgent to establish rules of the game for large companies that privately store data.
As we shared in our GDPR Compliance section, this policy was approved by the European Parliament on 14 April 2016 and went into effect on 25 May 2018. Almost the entire approach revolves around a set of rules designed to protect personal information from unnecessary risks by specifying how companies should store, handle and share such data. It was approved by the European Union (EU) and the European Economic Area (EEA). The regulation applies to companies that have operations in the EU and that process personal data. Besides, it doesn’t matter if the holding company activities take place in the Union or not. Any company in the world with customers or employees in the EU must comply with GDPR.
GDPR requires organizations to understand better what data their businesses have and how it is stored. In another blog post, we talked about this when we explained the controversy over the opening of the Apple Data Center in Guizhou, China. The point is that this increased understanding proactively helps streamline detection and response in the event of a costly security incident (like a data breach). Of course, beyond the legal need to comply with the standards called for by the GDPR, there is a necessity to make companies safer from cybersecurity breaches.
A company committed to GDPR compliance proactively identifies vulnerabilities and prepares autonomously to validate the security of their trade of personal data. One of the ways in which companies would fulfil the GDPR’s privacy requirements would be by reducing the amount of unneeded information. In this sense, companies "shouldn’t hold data they don’t need for longer than they need." This strengthens the company’s security and reduces storage costs, as there is less data to store.
Along with these commitments, the company must (a) identify personal data and evaluate their access permission, (b) corroborate that they are asking for explicit consent to use others information, and (c) be sure to process data following legal support. Besides, they must strengthen security, reduce risks of attacks, and transmit trust. One such situation is the regulation of passwords. Nowhere in the document is a rule that explains what kind of security filters a password should have.
However, that doesn’t mean it’s a minor issue or that you can’t establish a rule of your own that is in line with what the GDPR requires. The Hacker News, for example, recently published a list of recommendations that should be considered "to create a GDPR compliant password policy." Their most important recommendations are (a) avoid secret questions, (b) consider implementing multi-factor authentication (MFA), and (c) "use a 3-rd party tool to help your password policy reach your entire end-user directory."
Fluid Attacks’s GDPR compliance
For example, we at
Fluid Attacks use
Okta as our
identity management platform. It allows us to give access to
applications without disclosing credentials and maintaining the least
privileged approach. It is a very comprehensive tool because it supports
MFA by using a one-time password (OTP). Every half minute, it
generates a new OTP. You can also send push notifications to your
trusted device (usually your phone) through its Okta Verify app.
Finally, because you must use your phone to sign in to the Okta Verify
app, it enforces biometric MFA for both face and fingerprint (if the
device supports it).
Fluid Attacks we recognize the difficulty many companies have to be
up-to-date with every standard. It is not because they don’t want to be
updated, but because those standards are always evolving and adapting to
new day’s challenges. That’s why, when we offer security alternatives,
we always offer services to determine if your company complies with this
type of security requirements. To achieve this, not only do we care to
fully understand the core points of standards such as GDPR, but we
strive to disseminate them and explain them to our customers, and to the
Figure 2. Figure by TechTarget
Problems with GDPR?
Finally, it should be noted that GDPR has not been exempt from controversy. On 1 July, Johannes Caspar, a leading German regulator who worked for more than ten years at the helm of the Hamburg data protection commission, stepped down. His disillusionment with the EU’s General Data Protection Regulation stemmed from the fact that the policies allow, precisely, security weaknesses and flaws.
In a Bloomberg report, Caspar said:
"The basic model of the procedure set up by GDPR has massive flaws and it just can’t work. You can’t accept this in the long term. The problem is what use are these laws to the people if they’re not being applied?"
His criticism is based in two situations. First, companies that did not comply with GDPR policies had been estimated to have penalties. These were set out in article 83 (5). It states that infringements shall be subject to administrative purposes “up to 4% of the total worldwide annual turnover." But to date, no company has come close to paying that penalty. Second, GDPR gives regulators lots of room for interpretation" of the rules. Which makes it onerous to verify law enforcement.
Precisely, to fulfill the GDPR purpose, a change in the appropriation of individuals and companies of these policies is required. They should not be seen as an imposition but as guidelines to preserve data security and privacy. That is why you should take GDPR seriously as a guide to strengthen your security and save money.
Ready to try Continuous Hacking?
Discover the benefits of our comprehensive Continuous Hacking solution, which hundreds of organizations are already enjoying.