The General Data Protection Regulation (GDPR) represented a new phase in data security and EU regulators' approach to it. Designed to safeguard consumers with greater transparency into how, when and by whom their personal data is collected, GDPR, though based in EU, has a global reach and is likely to act as a blueprint for upcoming data security regulations in other markets.
But the legislation also comes with some big question marks. Nearly one year since GDPR came into effect, there remain uncertainties about issues like accountability in cases of data breaches at data sharing partners.
What's clear is that GDPR intends to protect data, and researchers have already found a correlation between GDPR-compliant businesses and lower rates of data breaches – perhaps the result of organizations' prioritizing and investing more in cybersecurity and data protection initiatives to become compliant.
The $57 million fine French regulators levied against Google earlier this year under GDPR rules made clear that authorities take a strict stance on the new data collection and sharing rules – but as Andy Norton, director of threat intelligence at Lastline, told PYMNTS, GDPR does not guarantee compliant businesses won't suffer a data breach. Indeed, he noted, GDPR has the potential to expand the cyberthreat even more.
"The fundamental flaw in many systems is abuse of trust," he explained, noting that while organizations must ensure the partners with which they share customer data are GDPR-compliant, there are always risks involved. "If the data controller implicitly trusts a data processor simply because there is a consistent legal framework in place, criminal abuse of trust will always take place."
Norton warned of the emergence of what he called a "black marketing economy," in which cybercriminals masquerade as a seemingly legitimate company with a falsely issued GDPR compliance statement. Such a scenario would leave the door wide open for data-controlling companies to send customer information to that criminal under the false pretense of regulatory compliance and data security.
Norton noted that, without the need to hack or breach any internal systems, criminals would then be able to obtain an array of sensitive, personal information that could be used to tailor spear-phishing campaigns, for example, likely resulting in a greater success rate of that cybercrime.
The issue at hand is not necessarily the GDPR legislation itself, but the false sense of security that a GDPR-compliant label could give organizations that share customer data.
DLA Piper analysis published in February used information from the GDPR mandate that requires organizations to notify regulators and affected customers of a data breach within 72 hours after an event to assess the current data security climate. In the first eight months of GDPR, there were more than 59,000 personal data breaches notified to authorities, the report said, adding that a backlog of notifications remains, and could result in a surge of GDPR-related fines this year.
Clearly, the threat of a data breach remains strong, and Norton warned it will persist as other jurisdictions begin to implement their own data protection rules.
A Global Framework
Though GDPR is an EU-based regulation, it is often considered a global initiative thanks to the global nature of today's market: Any company doing business in the EU or with EU-based partners must comply.
Norton said it is also likely that GDPR will not only influence other markets' own data protection rules, but could actually lead to a global framework of standardized data protection requirements.
"Given the globalization of business, it seems strange to have separate levels of privacy protection around the increasingly important center of gravity, which is our digital identity," he said. "It seems probable that countries should adopt a consistent approach to privacy rights, or there will always be confusion and risk as PII data [personally identifiable information] moves from one jurisdiction to the next."
Unfortunately, an expansion of GDPR could mean that GDPR cyber risk spreads, too.
Norton isn't the only cybersecurity expert to raise concerns over GDPR's potential to amplify threats. Information Age reports last May similarly warned that GDPR could actually promote cybercrime by putting a monetary value on data via regulators' ability to levy fines, giving cybercriminals greater leverage in ransomware attacks. "Now that criminals know how much the data is worth, it creates an environment that almost favors the criminals, especially if the ransom costs less than the fine," the publication said.
According to separate reports in The Telegraph last October, experts say GDPR's mandate to allow consumers to request all data collected by a company could enable a hacker to access or delete that information should they gain access to a user's Facebook, Google or other account.
While it is too early to assess the exact impact of GDPR on the broader cybersecurity climate, Norton noted it is essential for organizations to not only comply with the regulations, but also to be smart about how they maintain that compliance.
"Businesses need to consider not only whether they can share data with other organizations inside a legal framework, but also if they should share the data at all,” he said.