GDPR compliance is an enabler of better security and business processes – if approached in the right way

Even if you’ve been stranded on a desert island for the past two years, you’ll probably have heard that GDPR came into effect on 25 May 2018.  Companies based in Europe are expected to spend an average of €1.3 million ($1.4 million) on ensuring compliance, according to Gartner, while U.S.-based businesses are setting aside around $1 million. And, with good reason – being in breach of GDPR’s requirements could cost organizations dearly in fines for non-compliance, as well as increased legal fees and damage to brand reputation.

Given the cost and effort involved in trying to become compliant, not to mention the risks of penalties if they experience a breach, businesses are understandably apprehensive about preparing for the new and complex compliance regime.  

But, these concerns can be alleviated if businesses view GDPR compliance not as a box-ticking and costly chore, but as an opportunity to enhance their processes and better protect themselves against damaging breaches and cyberattacks. It is also an opportunity to put in place measures that strengthen the security and compliance posture of organizations, using GDPR’s requirements as the pivot point.  Here are three key business benefits that GDPR can deliver to enterprises:

Protect the business brand
The massive cyberattacks on Equifax, Yahoo and other major enterprises over recent years have severely dented those companies’ brands and reputations.  These effects will be compounded by strong penalties if they occurred under the new regulations, which means enterprise security teams are taking on more responsibility for protecting their company’s public image.  This in turn puts good security practice at the core of business processes.

Update business-wide operations
GDPR creates an opportunity for security teams to develop and enforce robust processes to detect, investigate, respond and report on threats, and to roll these out across the business as whole. Building security into business processes from the outset, rather than adding them on as an afterthought, delivers better protection against both internal and external threats and streamlines those processes.

Saying yes to innovation – securely 
As GDPR compliance will improve the handling of data and detection of threats, enterprises can accelerate innovation and collaboration both within the business and with external partners, thanks to increased confidence in the integrity and security of their processes across the business.  

So, how should organizations go about updating their networks, security processes and practices to ensure that they can take full advantage of the opportunity GDPR presents?  Here are three key steps that enterprises can take.

Getting visibility of what you need to see
Because GDPR is fundamentally about the types of data that can be collected and recorded, and how that data is handled and stored, an effective visibility architecture is needed to monitor and protect data within the EU while offering a comprehensive perspective across the organization’s networks globally.  However, irrespective of environment, a fundamental part of GDPR is that data should always be pseudonymized, which can also limit how much data should be seen.  

This need for widespread visibility, while also obfuscating sensitive information, could be seen as a contradiction.  However, there are tools and methods that make this possible.  Data masking, originally developed to secure Personally Identifiable Information (PII) data, is ideal for GDPR compliance, and is a feature in some advanced network packet processing engines.  

With data masking, IT and security teams can set any data pattern or offset for masking – credit card records, social security numbers, IP addresses, etc.  Furthermore, a strong visibility architecture that supports geolocation of user data can help identify traffic originating in the EU. When combined, data masking and geo-location (with or without encryption) help to facilitate GDPR compliance.

Encryption matters
Encrypting data is also critical to protecting data.  The trend toward a totally encrypted Internet continues, and under GDPR, data encryption is explicitly mentioned as a legitimate way to address security of personal data and offers some protection from prosecution in the event of a data breach.

However, some organizations have concerns about threats that may be concealed within SSL-encrypted data traffic, as some traditional security appliances and monitoring solutions are not equipped to process encrypted traffic.  However, advanced network packet brokers can decrypt packets once and provide the plain-text data needed by their security and monitoring solutions in order to sniff out threats and malicious payloads, and then re-encrypt the data before forwarding it on.  Together with data masking, encryption protects both data at rest and in motion.

Ensuring integrity, availability, and resilience
A comprehensive visibility architecture doesn’t just monitor data:  it’s also critical in defending an enterprise against increasingly advanced cybersecurity attacks.  Unless an organization has complete visibility of all of the traffic crossing their networks, cybercriminals can take advantage of vulnerabilities and blind spots to infiltrate the network and steal data. Visibility helps security teams to shrink their overall network attack surface, and to plug any gaps in defences.  

Security resilience is also key to GDPR, and visibility helps to ensure this by enabling anomalies or developing attacks to be quickly identified and addressed.  This delivers an accelerated response to potential breaches, limiting damage and minimising risk.  

In conclusion, GDPR is one of the most far-reaching and complex compliance regimes, and effecting the necessary changes within organizations to meet its demands will not always be easy.  But if enterprises take the right approaches to strengthening their security processes, they will gain clear advantages that go far beyond simply ticking the compliance box.  

-- Sudhir Tangri, country GM and VP, Keysight (India).