May 25 2022, marked four years since the European Union’s General Data Protection Regulation (GDPR) went into effect. Although the scope of the law is limited to personal data originating from activities in the European Economic Area, the ensuing requirements have had a global impact. This is evident in similar laws that have been proposed or passed and measures multinational organizations have taken to comply with privacy requirements. In parallel, there has been a convergence of a principles’ based approach to cybersecurity in many jurisdictions worldwide.
In light of the trends of the past four years, there are four clear takeaways for organizations seeking to meet their GDPR obligations.
1. GDPR Is not a Static Set of Requirements
During the past four years, organizations around the globe have adapted to comply with GDPR’s requirements, while those requirements and the threats posed to privacy have been anything but static. The European Data Protection Board (EDPB), the GDPR-era successor to the Article 29 Working Party, has issued updated guidance on a variety of areas. These include privacy-by-design as well as breach notification examples and response guidelines. Simultaneously, as demonstrated in CrowdStrike’s Global Threat Report, threats to data protection continue to evolve. This means that organizations must assess their GDPR compliance programs in the context of today’s security risks and GDPR requirements, rather than those of 2018.
2. Achieving Security-by-Design and Privacy-by-Design Is not “Set and Forget”
As a principles-based regulation, GDPR includes obligations to incorporate privacy-by-design and to implement safeguards appropriate to the risk. EDPB guidelines make clear that privacy-by-design is an evolving standard that imposes on organizations a duty “to take account of the current progress in technology that is available in the market.” Furthermore, the EDPB guidance drives home the point that organizations may find themselves in violation of GDPR Arts. 25 and 32, where “a measure that once provided an adequate level of protection no longer does.”
This evolving standard of GDPR is a reflection of why security approaches, such as legacy antivirus, are mismatched for today’s realities. As workloads and data storage increasingly move from traditional endpoints to cloud offerings, cyber threat actors have expanded their targets. In fact, cyber threat actors often do not discriminate between personal or general, on-premise enterprise environments versus cloud environments. They target resources and data wherever they exist, and frequently move between local and cloud environments in an attempt to achieve their objectives. This is one reason why accidental data exposures that happen through, for example, misconfigured cloud storage environments are also increasingly a source of potential privacy issues. Moreover, threat actors use cloud hosting to disguise their intrusions as benign network traffic, and a variety of legitimate software and cloud hosting services to access company networks.
3. Mitigating Risk Can Mitigate Breach Obligations
Like many breach notification obligations, GDPR’s language is designed to reduce breach fatigue by creating an impact-driven duty to notify regulators and, in the most severe of instances, individuals. Recent guidance for the EDPB makes clear not all breaches have the same level of severity. For example, an incident where a threat actor sees a list of user names might have a small or negligible impact on affected parties. Whereas, another incident in which a threat actor exfiltrates complete financial or medical records may have a severe impact.
Some personal data may be considered benign enough that it would not even be considered reportable if a breach was to occur. Whereas, other personal data could pose a risk or high risk to the fundamental rights of data subjects. Such guidance is relevant for cross border data flows as well. Put simply, if certain types of personal data in a data breach would not be reportable, it raises the question as to whether there should be any barriers to data flows in a transfer impact assessment.
As a practical matter, the data breach guidance repeatedly endorses the notion of using centralized logs as a critical component in breach prevention and assessment. This is because security teams demand contextual awareness and visibility from across their entire environments, including within cloud and ephemeral environments. Log management is critical to understanding what happened. Going beyond this, extended detection and response (XDR), can be leveraged to apply order to a sometimes chaotic array of security tools by deriving actionable insights wherever they exist within the enterprise, and generate intelligence from what otherwise may be an information overload. Holistic XDR unifies detection and response across the entire security stack.
4. Threats to Data Protection Aren’t Going Away
Legal guidance related to GDPR is not the only thing that has evolved in the past four years. The threats to privacy that GDPR principles require organizations to protect against have evolved as well. As CrowdStrike’s Global Threat Report highlighted, cyber actors pose a significant threat to organizations and, especially, to data protection compliance. In fact, CrowdStrike observed an 82% increase in ransomware data leaks from 2020 to 2021 alone. Moreover, there is the stark reality that 62% of attacks observed by CrowdStrike did not involve malware but instead were conducted via hands-on-keyboard activity. These realities make clear that using legacy antivirus technologies to protect personal data do not meet GDPR’s standards of implementing state-of-the-art security measures appropriate for today’s risks.
GDPR Going Forward
Organizations subject to GDPR should evaluate whether measures put in place four years ago are still sufficient today. Both the legal guidance interpreting GDPR as well as the threats to privacy continue to evolve, and compliance is a moving target. Moreover, there have been significant fines under both GDPR and UK GDPR against organizations that do not implement appropriate safeguards to protect personal data. Consequently, as a practical matter, investing in ENISA endorsed security measures such as XDR, zero trust, log management and threat hunting is a fundamental part of compliance today.
 George Kurtz, Testimony on Cybersecurity and Supply Chain Threats, Senate Select Committee on Intelligence (Feb. 23, 2021)