GDPR is here – now what?

Look at the General Data Protection Regulation (GDPR) and the revised Payment Services Directive (PSD2) as opportunities to adopting sound data protection practices.

vulnerable gdpr breach security cyber attack
Thinkstock

This past Friday, May 25th, online service providers inundated us with emails announcing their updated privacy policy, all tied to the European Union’s General Data Protection Regulation (GDPR) taking effect.

There are growing concerns over whether GDPR will stifle the way organizations do business, and if enterprises have fully complied within a timeframe that — despite the lead time — seemed to have gotten away from many of us. 

Despite the many breaches affecting enterprises, many C-level executives — just like consumers — are forced to admit that they are unsure where their data is, as well as how and by whom it’s being used. Government’s best shot at answering that question, mainly with consumers in mind, isn’t exactly light treatment. However, we should look at GDPR and its payments cohort, the revised Payment Services Directive (PSD2), as opportunities rather than obstacles to adopting sound data protection practices whether it is for user authentication or transaction authorization.

GDPR: The biggest shake-up to data privacy

One of GDPR’s main provisions is a mandate that special categories of user data derived from personal characteristics – e.g. biometrics deployed for social, convenience or security features – are prohibited from being processed and stored by EU firms and those operating in the EU without expressed consent from the end user. This is a considerable leap from the implied consent given by users, often on social media platforms and mobile banking or payments apps. It’s also a startling wakeup call for enterprises that might be lax or even unaware of the data they collect. With the ultimatum to comply or pay a steep fine, the more innovative financial and other enterprises will do away with seeking consent to retain user data. They’ll abandon the practice of holding touchy data of this kind entirely, and instead seek authentication and payment solutions that ensure that they don’t hold this data in the first place.  

The security risks of rushing to properly comply

Organizations that scrambled to comply with GDPR may have inadvertently settled on measures that are incomplete, are too costly, or reflect a poor security posture. Some of the world's largest companies have spent millions of dollars on experts for and solutions to GDPR compliance, while smaller companies struggled. Forrester recently reported that 26 percent of EU businesses claim to comply with GDPR but focused too heavily on IT measures to meet only specific requirements. Rather than taking a proactive approach by examining what works and what does not within the company (i.e. Does staff lack expertise? Does the company use legacy systems? Do employees practice good security hygiene?), businesses put all their attention on IT processes alone. 

Does a solution to comply with tightening regulations exist?

Comprehensive solutions that make sense for businesses to deploy from a regulatory, technical and business standpoint do exist. Enterprises should invest in technology that keep the business ahead of GDPR, adopting ones that deliver a clear ROI in terms of the savings they offer (rather than spending exorbitant amounts of money on something that only solves part of the problem), the contributions they make to customer retention or their brand, their lasting appeal and other considerations.

One such solution is decentralized authentication. Tight regulations like GDPR and PSD2 have essentially made this model — a strength of which is on-device authentication, as well as the ability to secure all kinds of login and payment modes including biometrics — a requirement. Too often, data is warehoused by enterprises in a central repository, creating a single point of failure that becomes a bull’s-eye for hackers. Decentralized authentication removes a hacker’s primary target of one centralized credential store, preventing data breaches, and eliminating credential-reuse while fostering the emerging trend of password-less logins and mobile payments.

With the knowledge that passwords and PINs are not enough to defend against hackers when centrally architected, some organizations like Google have taken a step forward by adopting open standards developed by the FIDO Alliance. These encourage seamless user experiences through decentralization, where the end users’ login information – biometrics, PINs, passwords and bankcards – are isolated and encrypted on their own devices. This relieves the now heavily regulated service provider from the burden of storing user data, while retaining control over the access, experiences, and devices in use.

Decentralization plays a pivotal role in helping businesses comply with GDPR and PDS2; however, it helps enterprises achieve so much more by addressing the root causes that led to the creation of GDPR, such as the real and perceived lack of trust consumers have in the applications they use and a demoralizing realization that privacy is inconsistent with participating in life online. Decentralized authentication solutions respond to enterprise appetites to lower data storage risks while putting clients, customers and all other stakeholders at ease when it comes to the proper use and ownership of their sensitive data.

In the age of GDPR and approaching regulations like PSD2, technologies that are especially far-reaching in their capacity to provide security and privacy are what will help with compliance hurdles. They might also quell consumer unease about these challenges, which are the impetus for regulations like GDPR, and therefore mandates of this kind present service providers with a tremendous opportunity to deliver more and better services.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart