GDPR at Three Years: Risk Takes On New Meaning

padlock and stars on black background

May 25, 2021, marked three years since the European Union’s General Data Protection Regulation, commonly referred to as GDPR, went into effect. Though GDPR was built on longstanding European and international data protection principles, it quickly became a board-level issue and elevated overall leadership focus on privacy. GDPR ushered in a new era of organizational transformation for requirements for how data is processed, transferred and protected.

Much recent attention regarding GDPR compliance has focused on cross-border data flows and how to ensure that an adequate transfer mechanism is used. GDPR also introduced cybersecurity requirements mandating organizations to adopt technical and organizational measures “appropriate to the risk” and consider the “state of the art” to protect personal data from breaches. Three years in, it’s a good time to reflect on the evolution of data protection risks and appropriate mitigations, and discuss emerging changes in the field. 

Today’s Risks to Data Protection

Threats to data protection come in many forms. They result from a wide range of intentional and unintentional data exposures and, ultimately, invasions of privacy. However, cybersecurity incidents are often the most significant risk. During the past three years, organizations around the globe have dealt firsthand with sophisticated attacks, redefining what is “appropriate to the risk.”

Recent high-profile software supply chain attacks have made clear that an adversary’s successful intrusion may allow not only for lateral movement within an organization but also throughout an entire ecosystem. This campaign also makes clear that authentication protection techniques that may have been appropriate three years ago no longer protect against today’s sophisticated techniques.

Ransomware was commonly used by cybercriminals before GDPR went into effect, with destructive ransomware campaigns such as WannaCry and NotPetya predating the regulation. Moreover, ransomware continues to be used in campaigns against critical infrastructure, as showcased in the recent Colonial Pipeline attack. However, the past three years have unleashed ransomware as a service, enabling those without the technical know-how or infrastructure to deploy sophisticated ransomware tools against organizations big and small.

As ransomware has further proliferated since GDPR, so too has the threat to data protection. One prime example of this is ransomware combined with data leak extortion. In these incidents, the GDPR compliance problem is layered. An adversary not only locks out a victim organization from its own data but then selectively leaks data, including personal data, in order to entice the victim to pay. This phenomenon further complicates strategies to adhere to breach notification triggers while attempting to mitigate impacts to data subjects whose data may be leaked.

These evolving threats and advancements in adversary tradecraft mean that technological and organizational measures that may have been appropriate on May 25, 2018, would likely not be effective against these risks. Therefore, it is important for organizations to assess whether or not their approach to security remains compliant with GDPR three years later.

State of the Art

GDPR promotes the idea that breaches can be prevented by ensuring that entities take appropriate organizational, physical and technological security measures. While these measures are varied, effective data breach prevention ultimately requires contextual awareness and visibility across environments, including within cloud and ephemeral environments. This is why organizations must leverage the legitimate interest of Recitals 47 and 49 of GDPR by processing cybersecurity data in order to protect data against breaches.

In fact, the European Union Agency for Cybersecurity (ENISA) released an updated “State of the Art” guide that advises organizations to adopt extended detection and response (XDR) solutions to protect against breaches. XDR seeks to apply order to a sometimes chaotic array of security tools by deriving actionable insights wherever they exist within the enterprise, such as from endpoint detection and response (EDR) data, authentication logs and network telemetry.

Moving beyond legacy approaches to data protection, it is important to note that many data breaches take place without the use of malware, leveraging instead harvested credentials, misconfigured account services, native or legitimate administration tools, or supply chain attacks (see the CrowdStrike 2021 Global Threat Report). This is why it is now a data protection best practice for organizations to incorporate new security measures that emphasize authentication, such as Zero Trust. When implemented, Zero Trust requires users to reauthenticate or re-establish permission for whichever device or resource they want access to, as opposed to authenticating once on a device and automatically having access to all the resources therein. This holistic view of authorized identity helps to reduce or prevent lateral movement and privilege escalation during a security incident or event.

GDPR Compliance Is an Iterative Process

Many organizations spent considerable amounts of time, energy and money on preparing for and adapting to GDPR. The three-year anniversary marks the perfect time to remember that GDPR compliance is an ongoing, iterative process, in which organizations are incentivized to continuously improve the means by which they protect personal data for which they are responsible. Across the EU, regulators have issued substantial GDPR noncompliance fines against organizations that failed to protect personal data against data breaches or neglected to fulfill their notification obligations in the wake of a breach. This phenomenon mirrors the ever-evolving threatscape itself and serves as a reminder that organizations can fall short of GDPR compliance even if they engage in robust data mapping, have drafted strong DPAs and conform to lawful bases for processing personal data.

Additional Resources

Related Content