Next named Market Leader and Outperformer in GigaOm DLP Market Radar Report Read the Report
Updated: Oct 23, 2023   |   Chris Denbigh-White

How European Privacy Regulators are Stepping Up Scrutiny of Business Data Practices

Go back

How European Privacy Regulators are Stepping Up Scrutiny of Business Data Practices

The General Data Protection Regulation (GDPR) is one of the toughest privacy and security laws in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations globally, so long as they target or collect data related to people in the EU. It provides consumers with the right to know what data an organization collects, how the data processors and controllers use it, to receive a copy of the data, and correct inaccurate data. In some circumstances, it allows consumers to demand the erasure of personal data (“the right to be forgotten”).

Almost five years after the regulations came into force, The Wall Street Journal published an update on the activity of European data protection regulators. In addition to a focus on breaches, regulators are increasingly scrutinizing the technical and organizational measures taken to ensure the security of data held. In other words, addressing core business practices around information security. To support this increased scrutiny, regulators are hiring more staff. According to the article, the regulator in Ireland, which recently fined Meta in excess of $400 million, more than doubled its regulatory staff between 2018 and 2022.  

Organizations Must Expand Their Focus

In recent years many companies’ focus has been on those aspects of GDPR which govern what data they collect and how they collect it. The first five principles of GDPR are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; and storage limitation. As one can discern, these principles require organizations to gain consent for collecting data, that they only collect what they legitimately require, and that it is accurate. As long as they were able to 'legally' have the data then the organizations were happy to obtain, retain and use it.

Less attention appears to have been paid to the equally important principle (f); ”integrity and confidentiality (security)” which requires that appropriate security measures are in place to protect the personal data organizations hold.

Recent high-profile fines handed out for GDPR non-compliance are a stark reminder that GDPR regulations apply not only to data collection but also the entire lifecycle of data, and ensuring its security throughout. This requires companies to maintain continuous visibility to sensitive data and ensure that security controls are in place to protect that data from loss or misuse.

Checkbox Controls vs Effective Controls

As the amount of personal data collected and stored by companies continues to grow, the risk that data is misused or mishandled by organizations also increases, as we have seen through an increasing prevalence of data breaches. This has led regulators to take a more proactive approach in enforcing all aspects of GDPR in order to better protect the personal data of individuals and reduce the impact of future breaches.

In the past, companies were able to claim compliance by simply stating that they had 'controls' in place. Regulators now appear to intend to hold companies more accountable for their failures in protecting personal data.

They are beginning to demand to see concrete evidence of the effectiveness of their data security controls. It is clear that the sometimes "straw-man controls" of yesterday are no longer enough.

Ways in which organizations could provide evidence of the effectiveness of their data security measures could include:

  • Verification that organizations can identify protected data at the point of use; on the endpoints where data is at risk.
  • Evidence that organizations are able to protect any data that can be linked to a person’s identity, including that of employees.
  • The ability to identify unusual activity that could be a precursor to a data breach, such as correlations between a series of anomalous activities that individually may not, or should not raise alerts.
  • Incident-based training that warns users when they take actions that could put data at risk inadvertently, representing “guardrails” around potentially high risk activity in relation to data.

What Organizations Can Do

Companies who truly wish to act as guardians of personal data need to embrace that with great volumes of data comes great responsibility (and with it greater potential liability!). Legacy DLP solutions with convoluted, granular rules cannot adapt quickly and reliably to this challenge. In today’s “work from anywhere” world, users and data cannot always be under the control of the corporate network. Nor can organizations rely solely on cloud-based processing that can delay the identification and response to  threats.

Instead, forward-thinking data owners are pushing the scope of data protection to their endpoints. This enables data owners and processors to dynamically identify and remediate threats to data, especially in a world where staff are geographically dispersed and sensitive data is increasingly processed both on and off corporate networks.

Our Shameless Plug

We’d love the chance to earn your trust. Next DLP believes that smarter people lead to safer data. Learn more about Next DLP and how we’re thinking differently about cybersecurity through our fireside chat program. If you like what you see, consider subscribing to our newsletter or talking with one of our pros about what Next DLP might do for your teams.

Demo

See how Next protects your employees and prevents data loss