As the European Union’s General Data Protection Regulation (GDPR) goes into effect in just a few short weeks, companies are in high preparation mode to make sure they’re current with the new regulation. How to remain GDPR compliant remains to be a bit fuzzy, and this new regulation is expected to impact companies across the globe. Even if your company doesn’t reside in the EU, if you’re working with EU customers, you are still expected to stay compliant.
In order to receive better insight into GDPR, we reached out to technology thought-leaders and experts. We approached them with this question:
What should we be most concerned about with GDPR?
Meet our Panel of Cyber Security Experts:
|Brian Rutledge||Steve Durbin|
|Christopher Lewis||Chris Olson|
|Anthony James||Charles Mudd|
|Ian McClarty||Gates Marshall|
|Lee Barrett||Susan Morrow|
|Matt Middleton-Leal||Craig Andrews|
|Setu Kulkarni||Paul Lanois|
|Shridar Subramanian||Lisa Parcella|
Read their responses below.
Brian Rutledge is Principal Security Engineer for Spanning Cloud Apps and a Certified Information Systems Security Professional (CISSP) with 20 years of IT security experience. His field of security expertise spans industries, but is particularly focused on SaaS application data loss prevention. Spanning works with companies around the world to help them safeguard their SaaS data, particularly for GSuite, Office 365 and Salesforce.
Response: Companies that come in contact with any data of EU citizens need to meet GDPR requirements, which are vast to say the least. One of the trickiest and most major provision of the GDPR is The Right to Erasure (be forgotten). Many consider this directive to be the catalyst for GDPR; the one that started it all; it’s also the directive that, if complied with, drives compliance with other articles in the regulation. But, with a lack of case law around this rule, are any number of interpretations about how to meet this provision and no checklist for organizations to follow.
Failure to meet this provision could hurt a lot of companies, but it doesn’t have to be so complicated. To get started, perform detailed data-mapping to evaluate your data collection, controlling/processing and storage workflows and policies. This is important because you may need your controller/processor to significantly change or redesign their solution for interacting with a data subject. Another step is working with partners and customers that are part of the data subject information chain to determine what policies, procedures and legal requirements should be implemented to remain compliant. Finally, get a lawyer (preferably EU legal counsel) and make sure all ideas/solutions are passed through them, as they will be a great resource for how a compliance solution/conflict could be seen by an EU Data Processing Authority.
Christopher Lewis is a veteran full-stack web developer with a knack for minimalistic solutions and thoughtfully crafted code. Lewis is the founder of GeoPeeker and Technical Director at Bluehouse Group.
Response: The issue that has me most concerned is how behind we are in the United States with regards to privacy rights and guidelines such as those contained in this new regulation. The GDPR puts a significant (but I believe long overdue) burden on American businesses large and small that have customers inside the European Union to improve their privacy practices.
To be clear, this regulation requires a costly paradigm shift, and not just in how we store user data, but also on a holistic level, and will no doubt impact how we as an industry craft web-based solutions from top to bottom going forward.
Anthony James has more than 20 years of experience in the network and security industry. Prior to CipherCloud, he was an executive at TrapX Security and Cyphort where he received consecutive coveted SC Magazine awards including Rookie Security company of the year in 2015 and Enterprise Security Platform of the year in 2016. His tenure also includes responsibility as the Executive Vice President of Products at FireEye and Vice President and General Manager for Blue Coat’s Cloud Security business unit.
Response: GDPR compliance will be especially challenging for multi-national companies running enterprise cloud applications like Salesforce, ServiceNow and SAP SuccessFactors. One of the biggest issues is how to maintain a single instance of cloud applications for global productivity while meeting EU data residency requirements. When you consider strict country-specific privacy regulations – like Germany– along with emerging regulations in South America and rest of the world, CIOs have a real compliance nightmare ahead of them.
Ian McClarty holds an MBA from Thunderbird School of Global Management. McClarty has over 20 years executive management experience in the cyber security and data center industry. Currently, he is the CEO and President of Phoenix Data Center, LLC. Phoenix Data Center, LLC employs a staff of over 600, operating in 9 separate locations including two in Phoenix, Los Angeles, Valletta, Malta; Belgrade, Serbia; Novi Sad, Serbia; Amsterdam; Singapore; and Charlotte, NC.
Response: Achieving compliance with the EU General Data Protection Regulation is by no means easy. The difficult truth of GDPR, is that the European Data Commission wrote the regulation in such a way as to leave the burden of defining ‘compliance’ on the organizations it’s meant to apply to. Because of this, businesses have been left to their own devices to both identify and implement GDPR.
We saw the regulations as a looming threat we’d have to scramble to implement. However, the law is intended to protect the personal and private data of EU citizens which is a worthy endeavor. All organizations who show that they’re putting forth their best efforts to set personal data protection measures in place for themselves, need not worry about the regulations affecting their day-to-day operations or revenue.
Lee Barrett is Executive Director of The Electronic Healthcare Network Accreditation Commission (EHNAC), a federally recognized, standards development organization designed to improve transactional quality, operational efficiency and data security in healthcare, where has served in that capacity since the commission’s inception in 1993. A member of the HHS Cyber security Task Group (405d) and Chair of the National Trust Network Data Sharing and Cyber security Task Group, Barrett works on key HIT industry initiatives that lay the foundation for health information technology – including support and implementation of important healthcare legislative mandates.
Response: One of the things I’m most concerned about with GDPR requirements is the prospect of an organization being contacted and told that they have to illuminate all instances of an individual patient’s data. This is a crucial issue when considering how organizations have backed up information in the past, and what technology will have to be put into place to support this going forward. Organizations need to be able to identify and map all individual patient data that it manages, while ensuring those data management processes are effectively protected.
Matt Middleton-Leal is a Certified Information Systems Security Professional, General EMEA Manager at Netwrix, the company that introduced the first visibility platform for user behavior analysis and risk mitigation in hybrid IT environments. Netwrix is based in Irvine, CA.
Response: I am most concerned about obtaining security basics instead of sticking to overhyped GDPR requirements like consent or data breach notification. In the worst scenario, companies think that putting a special tick-box on their website and sending out e-mails with suggestion to agree on processing their data is enough. In better scenario, companies make a real effort to meet consent requirements by changing the way they proceed the sensitive data on their customers. However, the majority forget that consent composes 90% of GDPR, the rest is data protection by design and by default, which requires a company to conduct risk assessment practices and implement control policies over their entire IT-infrastructure.
Setu Kulkarni joined WhiteHat in 2016 and is responsible for product vision, strategy, and direction. Previously, Kulkarni led product management and strategy for an operational intelligence product portfolio, a variety of strategic and operational initiatives for TIBCO Inc. He has held engineering and pre-sales roles in India and Europe working for NDS, Infosys, Adobe, and TIBCO. He earned a degree in computer science and engineering from Visvesvaraya Technological University, India.
Response: With the advent of GDPR, the world is recognizing how data is the lifeblood of applications. When it comes to GDPR compliance, data privacy issues are a top concern as well as integrating security training and formalizing data boundaries all require applications to be secure by design. Just as there are multiple layers of security in the most secure buildings, we have to create the same level of insulation for our digital information. WhiteHat Security believes GDPR isn’t just about finding data—it’s about making certain it’s secure.
Shridar Subramanian, StorageCraft VP of global strategy, has more than 23 years of experience in information technology. Subramanian joined StorageCraft with the acquisition of Exablox in January 2017. Prior to StorageCraft, he was the VP of marketing at Virident Systems, a leading provider of PCI SSDs, where he was responsible for product strategy, go-to-market as well as awareness and demand generation.
Response: I am most concerned about Article 32 of GDPR which stipulates that organizations must have the ability “to restore availability and access to personal data in a timely manner” in the event of an incident.
As such, part of the new regulation stipulates that companies must have an effective, regularly-tested disaster recovery solution. A shift from traditional – often separate – backup and data protection models toward a converged model is poised to help ease the data cost, complexity, risk and compliance burdens faced by organizations.
Traditional backup needs to read all primary data before moving it over a network to write to another storage target. It is challenging enough to recover files when the system is fully functional, but in a disaster recovery situation such as a ransomware attack, it can be calamitous.
To reach GDPR compliance, the solution involves creating a scalable infrastructure, then forming an environment that unifies primary and secondary storage while integrating disaster recovery — which in turn is then able to digest massive amounts of structured and unstructured data.
Steve Durbin is Managing Director of the Information Security Forum (ISF). Durbin’s main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
Response: I’m concerned that many organizations feel that everything surrounding GDPR comes to a halt on Friday, May 25. However, in my opinion, that date is just the start of the GDPR race. If companies aren’t completely compliant by that date, it isn’t the end of the world. What the different information commissioners are looking for across Europe in all of this is a plan, a process, something that organizations can point to that demonstrates that they’ve understood the obligations under GDPR. That they are well on their way towards implementing some of those and that they have really checked off some of the more important elements of it. I’m thinking about protecting the most sensitive elements of information that exist, across an organization. So for organizations that perhaps aren’t 100% in shape on May 25, as I say, it really isn’t the end of the world. What they have to do, however, is get themselves in decent condition, because of course, the challenge with all of this is you never actually know when you’re going to suffer a breach, or you’re going to lose data.
Chris Olson founded The Media Trust with a goal to transform the internet experience by creating better digital ecosystems to govern assets, connect partners and enable Digital Risk Management. Olson has more than 15 years of experience leading high tech and ad technology start-ups and managing international software development, product and sales teams.
Response: When it comes to GDPR compliance, our main concern is that many organizations unknowingly collect user information and track user behavior within their digital environment. This often happens because a typical enterprise website, for instance, has no single person or team in charge and is supported by an intricate web of direct and indirect vendors, many of whom surreptitiously drop cookies that collect personally identifiable user information. To stay compliant with GDPR and avoid its stiff penalties, organizations should put together a robust digital vendor risk management program that specifies teams, processes, and tools for (1) identifying and monitoring their direct and indirect vendors, (3) communicating their policies with all vendors, (4) resolving any issues, and (5) terminating vendors who fail to comply with policies.
Charles Mudd is President and Principal of Mudd Law that practices in Internet and high tech fields including all aspects of data security. Mudd also teaches as an adjunct at John Marshall Law School on subjects of privacy, intellectual property and startups.
Response: As an attorney representing companies with online presence (which inevitably includes privacy policies on their websites and apps), my biggest GDPR concern relates to the connection between the written policies and the actual backend practices. Any company representing itself to be GDPR compliant must ensure that its practices and security measures reflect its policies, and vice versa. Absent this direct correlation, the company might create more liability exposure than had it not made such representations in the first place. As a corollary, I am concerned that companies who do not need to be GDPR compliant will nonetheless made such representations without implementing the measures necessary to actually be so.
Gates Marshall is the director of the cyber services firm CompliancePoint. Marshall’s many years of experience in information security consulting and his areas of expertise include secure architectural design, vulnerability and penetration testing, OWASP, forensics, incident response, GDPR, FISMA, MARS-E, cryptographic control design and application, and witty banter.
Response: Companies who have under-invested in cyber security being able to meet Article 32 requirements for an effectively implemented information security framework is a huge concern.. It’s not realistic to have information privacy processes in place to respond to people’s subject access requests without first having the related information security controls in place. It’s also not realistic to protect data without having the various controls defined in a framework in place. Be prepared to invest in these areas if you have not already done so.
Susan Morrow is a security researcher for the InfoSec Institute and has worked in the IT security sector since the early 90s. Morrow has been involved in security projects addressing government, enterprise, and consumer needs and has helped design and commercialize award-winning security software solutions used by organizations of all sizes worldwide. Her mantra is that security is about human beings as much as it is about technology.
Response: A TrustArc survey from last September has shown that 61% of companies were not ready to implement GDPR, and noncompliance carries more than just a large fine. The GDPR is ultimately about protecting personal information—so if you do not protect your customers’ personal information, you may also find your company facing some of the following consequences: damaged company reputation, lost consumer trust, cost of rectification, and declining share value. However, with the right training and level of security awareness in place, your organization can achieve GDPR compliance and more importantly, keep its sensitive data secure.
Craig Andrews is the founder and Principal Ally at allies4me. The allies4me team has been helping companies achieve their online goals for 9 years.
Response: You should be most worried about your vendor relationships and practices for vendors who have access to customer data. Most companies will have their internal practices locked down for GDPR. But an audit could reveal that you’ve got vendors downloading and storing personalized data on their servers in a way that will compromise your ability to execute on data portability or right to be forgotten requests. You should formalize policies with your vendors to show complete control of your customer’s data.
Paul Lanois is an attorney admitted to the Bars of the District of Columbia (DC-USA), New York (NY-USA) and the Supreme Court of the United States (SCOTUS). Lanois is a global privacy, data protection and information security professional. He was Recognized as a leading lawyer in The Legal 500’s GC Powerlist, named a “Cybersecurity & Data Privacy Trailblazer” by the National Law Journal and an “Innovative Corporate Counsel” by Law 360.
Response: Many organizations still do not fully understand the extent of the requirements or even to what extent the GDPR applies to them if they do not have a physical presence in the EU. There is no “one size fits all” magic button for GDPR compliance. It is not a “one time” thing but rather an ongoing requirement. For many, radical changes to internal detailing and investigating structures may be required.
Lisa Parcella, VP of Product Management & Marketing at Security Innovation, designs and delivers comprehensive security-focused products and educational solutions for Security Innovation’s diverse client base.
Response: To prepare for GDPR, most organizations have streamlined and detailed their information security policies; however, many are unaware that 90 percent of cyber attacks occur at the application layer. This means that immature application security programs arguably pose the biggest threat of a data breach. This often overlooked component of data protection puts organizations at risk for GDPR-related fines and regulatory action. Don’t miss a blog post. Sign up for the e-newsletter.