GDPR: Busting Myths about Data Protection
At a Glance:
- 2018 will prove to be the year of the data protection with decisive steps
- Myth: A better firewall is needed
- Myth: Stronger passwords should be enforced
- Myth: Data collected and stored is not sensitive or personal
While 2017 was the year of most disastrous data breaches, especially for Indian IT enterprises, 2018 might as well be the year of data protection done with decisive steps and necessary implications made for the protection of the personal data of both the individuals and the enterprises.
Where EU’s GDPR (General Data Protection Regulation) is expected to go active in May 2018, covering most of the EU, especially India, it can be said that protection is arriving at a bigger stage. India is planning well to introduce better stringent Data Protection Laws for the protection of data exposure in future.
What pushed GDPR’s necessity to be implemented?
After witnessing multiple major data breaches in the past few months, implementing better data protection laws and mechanisms has become necessary for the enterprises. Few of the many major data breaches were of Chipotle in April, OneLogin and Equifax in May, Deep Root Analytics in June, Verizon in July, and so on and so forth, exposing data of millions of people.
Implementing a stronger data protection is the result of the lackadaisical attitude of the enterprises towards the data vulnerability and exposure of the personal data of the individuals and the enterprise, both. For example, Data breach of Deep Root Analytics was not a sophisticated attack, amongst many other major data breaches. Breached information or personal data was freely available on the cloud for the people to access for weeks.
The main point behind all this is to identify the reason to why these data breaches are happening at first place. Mainly because of the faulty understanding of the how data protection should be done in an enterprise.
Here are 3 common myths that every enterprise is mistaken on how to protect personal data.
Myth 1: A better Firewall is needed
Getting a better Firewall is definitely not the answer to the kind of data breach that is happening right now.
Protection of personal data is more about implementing mechanisms within the organization rather than getting a better firewall for the data protection. With a well-defined and a well-designed system, the chances of a data breach are lesser and even if the data breach happens, minimal data exposure is at risk. This means that the perimeter has nothing to do with personal data protection, it all relies on the core of an enterprise’s IT infrastructure.
Let’s consider the case of Verizon, where the personal data of 14 million was exposed and freely available for download on the cloud, in a readable format. This could have avoided if they had a well-designed system which would not have stored the personal data in a single easily identifiable database with no encryption.
Also, if Verizon would have made a good investment in application level encryption and Pseudonymization, none of the exposed data would have impacted the real customer.
Myth 2: Stronger passwords should be enforced
It’s good to keep a strong password for your data protection that might help you against a sophisticated attack, but keeping a stronger password won’t do you any good in case of a data breach on a greater level.
There are a number of techniques and mechanisms that are needed to be implemented within the organizations to ensure data protection on a stronger level. Things that can be done to prevent further data breaches in an enterprise are to implement a role-based access controls that will ensure the data is available only on a need-to-know basis, storing the data at a limited set of locations with a role-based and an encrypted streaming access, avoiding temporary storage of any personal and sensitive data at any location other than the designated secured stores, and monitoring and auditing through the behavioural checks through the third-party applications.
Myth 3: Data collected and stored is not sensitive or personal
It is often asked what personal data is. And enterprises more often mistakenly consider that the data stored in their systems id neither sensitive nor personal.
Again, in case of Verizon, the data breach happened at the voice infrastructure level at the voice recording system, which could not have protected data like the system handling card processing data could do.
Another anonymized search strings data exposure happened at AOL. The data exposure disclosed some critical information about the search strings. It was discovered that people can be identified based on the search strings used along with their personal data and all the information that can be potentially embarrassing too.
Apparently, it is essential for an enterprise to have a thorough and holistic data flow, with an automated system for regular monitoring of the security of the personal data of both enterprise and the individuals.
[About the author: Sreekanth Nemani is a telecom expert, with 4 international patents and 2 well-cited publications. A researcher and a deep thinker, with an experience of over a decade in the UC & CC industry. Currently working at Assertion and researching on how to ensure automated compliance for the global policies.]