Privacy expectations are escalating as we enter the “fifth generation of data security”. At the same time, large-scale multi-vector cyber threats are evolving faster than ever. With the advent of GDPR, we’ve reached a perfect storm for data protection.
The default shorthand to describe GDPR is a “game changer for data privacy and security”. But, with its roots in a 19th century law essay as well as more recent directives, the arrival of this type of regulation should come as a surprise to very few.
GDPR may, and probably will, prove to be game changing. With its lofty aim to initiate a cultural transformation in returning control over personal data to citizens, GDPR is seeking to bring about big and undoubtedly positive change.
Yet GDPR shouldn’t be considered a bolt from the blue. There’s been an increasing clamor for greater individual privacy and business accountability over the last two decades. In fact, the timeline of progress towards GDPR and the so-called “fifth generation of data security” can be traced back much further than that.
The first generation of data security
GDPR is (in many ways) the inevitable consequence of a movement that can be traced back to 1890. That year, Samuel Warren and Louis Brandeis published in the Harvard Law Review what is considered to be the first article to assert the right to privacy. And ever since, that seminal essay has been regarded as among the most influential in American (and subsequently international) law.
Privacy as a human right
The first generation of data security kick-started a chain of events that would see privacy become established as a fundamental right. On December 10th, 1948, the right to privacy was explicitly advocated by article 12 in the United Nations’ Universal Declaration of Human Rights:
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
The data processing debate
From 1980 onwards, the focus around privacy moved to how personal data was processed and transferred. Generation three of data security arrived in the form of the OECD’s guidelines produced in September 1980, asserting the core principles that should govern the handling of personal information.
It included limits around how data was collected, what it was used for, what security should be in place to protect it, and the rights an individual had to discover what information was being held about them. The OECD guidelines were non-binding though, resulting in disparity across Europe (and even more so globally). This ultimately inhibited the free flow of data throughout regions.
Then, in 1995, the EU Data Protection Directive arrived. This marked the beginning of the fourth generation of data security and sought to address data flow challenges by creating commonality across Europe (and by extension, greater consistency globally). With central principles of transparency, legitimate purpose and proportionality, it’s here we can see the same core traits that comprise GDPR start to emerge.
The GDPR era
GDPR represents the fifth phase of a journey that began back in Harvard University over 100 years ago. From May 25th, 2018, any organization that handles EU citizens’ personal data must adhere to very specific (and, for the first time, legally binding) responsibilities. And that’s regardless of whether or not they operate in the EU. GDPR will therefore have a resounding impact globally, not just in Europe.
The central tenet of GDPR is the protection of an individual’s privacy. Article 5 of the regulation states this simply and succinctly:
“Personal data shall be processed in a manner that ensures appropriate security… including protection against unauthorised or unlawful processing and against accidental loss.”
A positive force for citizens and businesses
As well as protecting individuals’ privacy, GDPR also aims to help businesses, by creating a common set of principles to govern and encourage the free flowing of data in a secure manner. Those embryonic initiatives to help data to flow securely between borders established in “generation three and four” have been fully realized thanks to the consistency asserted by GDPR.
Among the many empowering elements for individuals and businesses alike, there is a sobering responsibility placed on those who process data after May 25th. One of the primary requirements of GDPR is for organizations to adopt appropriate security protocols, or as it refers to them “security by design and by default”. This essentially calls for security measures to be baked into IT systems as they are built, rather than being retrofitted.
Gen V data security meets Gen V cyber threats
With headline-grabbing potential penalties, such as fines of up to 4% of worldwide turnover, businesses are understandably treading carefully. This is particularly acute in the era of fifth generation (Gen V) cyber threats.
The complex nature of these threats means organizations must now attempt to tackle accelerating data security expectations in the face of large-scale multi-vector attacks. These advanced Gen V cyber threats arrive from multiple platforms, moving very fast and infecting large numbers of businesses across the world in hours.
There are countermeasures, of course. Gen V cyber threats are best addressed by architecture-based cyber security that shares threat intelligence and uniformly prevents attacks across networks, clouds and mobile devices in real time. Alarmingly, though, our recent research shows just 3% of organizations have implemented these security practices.
As part of a fifth generation (Gen V) security approach, businesses must also embrace and fully adopt wider organizational changes to ensure they become (and remain) compliant. While this can be a far-reaching process comprising many factors, there are a set of critical first steps that must be considered: staffing, data auditing and classification, risk analysis, logging, and fundamental controls.
The perfect data protection storm
In short, there has never been a more challenging time for privacy and data security. Organizations across the world are confronted by a parallel pressure to respond to proliferating data protection expectations from citizens (and legislation) while new, advanced threats emerge.
That’s why keeping things simple and secure, with a universal yet comprehensive platform, is more important than ever.