GDPR: The De Facto Standard-Setter for Data Protection

In the year since GDPR became law, we have all been inundated with emails from anyone we’ve ever done business with and any site we’ve given our personal information to. It’s a phenomenon so pervasive that it’s called ‘the GDPR effect’ – but for all the emails and cookie notifications, is our data any safer?

The GDPR Founding Principle Article 1.2 states: “This regulation protects fundamental rights and freedoms of natural persons and in particular, their right to the protection of personal data.” Whether or not your organization is specifically subject to GDPR, doing everything in your power to protect data while it is in your organization’s care is critical.

One reason this is critical is because when you receive someone’s data, there is an implicit trust exchange that takes place. The person is entrusting you with their sensitive information, and if that data is breached, trust is broken. Without trust, business cannot survive.

The other reason is that if you are able to show the efforts your organization has made to comply with data privacy laws, you get an ‘A’ for effort from the regulatory investigators – even if not all your efforts resulted in total data privacy and security.

But in order to exercise top-notch data privacy, your company’s culture will need to shift from merely checking the compliance box to becoming an organization that is dedicated to safeguarding data at all times.

Here are four steps toward that goal:

  • Documentation: it’s not what you do as much as it’s how you document what you do. With the multitude of laws and regulations that must be observed, you must have healthy, consistent and compliant documentation. In the event of a breach, documentation will help you with the step below – without it, a compliance failure is imminent
  • By Design and Default: a critical GDPR tenet that could equally apply to any regulation is ‘data protection by design and by default.’ This essentially calls for organizational measures to mitigate access to unnecessary data, implement data protection principals across all business needs, and employ methods to be able to demonstrate compliance
  • Encryption: a type of encryption that GDPR refers to as “pseudonymization,” which is really just a form of tokenization, is one of the easiest ways to protect data. Data storage and processing requires encryption best practices at every turn—not just in tokenizing or pseudonymizing the data through the application. Encryption is also required in the central storage area and when it’s being shared with authorized individuals or groups
  • Resilient cybersecurity: compliance is not a ‘one and done’ proposition. Achieving compliance is often a singular event, time bound to that particular moment where an organization was, indeed, compliant. However, weeks, days or even minutes after that moment, everything can change. The key to good security is understanding that striving for compliance is not the end goal - instead, organizations should strive to create an ongoing culture of cybersecurity resilience

Not all companies will succeed in preventing a data breach, but companies that document their efforts, encourage thorough data management practices and promote a culture of good security hygiene will suffer far less than those who simply ask for user consent. You will avoid fines, reputation damage and loss of customer trust while resting assured that you’re doing everything possible to keep private data private.

What’s Hot on Infosecurity Magazine?