GDPR hasn’t ensured data protection - so what will?

Person with hands around honeycomb network with padlock in middle signifying data protection
(Image credit: Wright Studio / Shutterstock)

The EU’s General Data Protection Regulation (GDPR), introduced three years ago brought the need for businesses to carefully safeguard personal data into the limelight. The regulation created a series of new responsibilities and obligations for organizations wishing to store and make use of personal data from citizens in the EU and UK.

About the author

Craig Lurey is CTO & Co-Founder of Keeper Security.

This was intended, on one hand, to ensure the digital privacy of customers and employees and to assert the rights of those individuals over their data. On the other hand, it harmonized data privacy rules across 28 countries, undoubtedly a good move for international businesses wishing to trade across the continent.

Failing to exercise adequate caution and control has brought the possibility of heavy fines. In cases of considerable negligence, these can be up to €20 million or up to 4% of the annual worldwide turnover, whichever is the highest. One of the largest GDPR fines to date - £20 million - was levied against British Airways for a 2018 breach that compromised the personal data of over 429,000 customers. Hundreds of other fines, large and small, have been imposed over the past three years.

But in a post-Brexit world where Britain can independently change these regulations again - something the UK government has signaled it is open to doing - legislative pressure alone cannot be the only solution to ensuring consumer data remains protected.

Pressures of the pandemic

Although GDPR regulations did provide some form of protection, few would argue their personal data, as it is stored online by organizations, is now much safer than it was three years ago. Unfortunately, in parallel to new regulations, cybercrime has risen considerably, with news of leaks and breaches hitting the headlines with depressing regularity.

This has been partially fueled, of course, by the forced increase in remote working during the pandemic. This period has been especially dangerous for those organizations that hadn’t previously supported any kind of remote working and had to very quickly adopt new technologies and policies to maintain business continuity. Estimates vary, but one estimate by analyst house Canalys suggests a new record of more than 30 billion compromised data records in 2020, over 100% higher than the previous year, which was itself a new record.

This surge has happened despite increased investment by businesses in the latest cybersecurity technology, which grew by 10% in 2020 alone - regardless of all the other pressures on IT budgets - according to the same note from Canalys.

So, although we have considerable regulation, heavy penalties and new and improved cybersecurity technologies, personal data is more at risk than ever before. What’s missing is consideration of the human factor.

Phish in a barrel

Humans are typically the weakest link in a modern organization's line of cyber defenses. Employees don’t want to have to remember dozens of unique, highly entropic passwords - and it isn’t mentally possible, given that typical office workers have around 200 passwords between work and personal accounts. This results in weaker passwords, which are then repeated across different services, some of which will certainly be compromised over any given period. The evidence that this should be a pressing concern for all businesses is clear: 81% of data breaches succeed due to weak or stolen passwords.

Some cybersecurity authorities like to pretend this flaw in so many organizations' defenses can be solved through education and developing a culture of awareness. Certainly, education and policies have a valuable part to play, especially when it comes to avoiding phishing attacks, but the fundamental problem stemming from too many passwords remains.

Organizations that want to properly protect themselves against data breaches therefore need to do two things in particular to remove this otherwise inevitable fallibility.

First, they should roll out a comprehensive password management solution that securely manages all user credentials and automatically fills them into apps and websites, eliminating the need for employees to create or remember their own - potentially weak or easily-guessable - passwords. Secondly, they need to ensure the solutions they deploy are built on a zero knowledge security architecture, meaning that even if cybercriminals successfully breach an organization, they won't be able to access or decrypt the data they might seize.

GDPR was a useful piece of legislation on at least two fronts. It has ensured many businesses and other organizations take people’s data security and privacy more seriously than would almost certainly otherwise be the case. And second, it simplified the existing and proposed regulation to provide much greater clarity. But it was not, and could never be, a cure-all against breaches and data loss. Cybersecurity is a complex and evolving field, and a sophisticated approach will evolve accordingly. What businesses and other organizations can and should do quickly is to close the obvious gaps that leave them vulnerable - both to breaches and to the fines that might well follow.

Craig Lurey is CTO at Keeper Security