The unintended consequences of GDPR

This is not what the regulators had in mind. Business leaders, ignore at your own peril.

Binary flag of the European Union viewed through a magnifying lens and showing a ripple effect.
MixMagic / Getty Images

GDPR has done a world of good. It has enabled us to understand digital privacy, empowered the consumer about her rights and put a steep monetary value on non-compliance. In a nutshell, the entirety of it can be summarized into responsibilities – what data are you collecting (of me), where is this data being stored, who (in your organization) can access my data, how are you providing safeguards to protect my data, when will you notify me (and the authorities) if my data has been compromised – and customer’s rights (access, modification, erasure, transfer of my data at any time).

What is the common denominator in all of the above?

Data underscores every aspect of the GDPR regulation. Nothing surprising yet the impact of this digital currency in our lives has been amplified thanks to GDPR and that has not been lost on the hackers. The case of a mental health facility that decided to pay the ransomware attackers instead of fighting them or relying on their own backup is not a unique case.

Hackers know that most organizations' risk profile would cause them to settle

The most egregious case here may be when a hacker has not expended any of his or her efforts to launch an attack, but rather just sends a threatening email purportedly claiming to have access to the customers’ data and demanding a princely sum (still below the risk budget of the organization and way below the GDPR fine limits) in exchange for non-disclosure of data. Genius from one point of view – the hackers – but outrageous from the business and the consumer’s point of view.

Consumer turned bounty hunter

Recall the consumers’ rights - Access, Modification, Erasure, and Transfer. Now imagine that a consumer with enough time and malicious intent decides to test the providers' ability to respond to his or her request to do one or more of the above. And in case they fail, he or she could hold the business hostage by threatening to report to the authorities unless they settled for a modest sum. Spooky?

As we have seen from the above situations, this is clearly not the intended blueprint of what GDPR was supposed to have achieved but nevertheless, it has exposed the value of data and it is a matter of time before such incidents become more mainstream!

So, what is a business to do? Start paying up?

There are some important steps every business leader should undertake if they are undergoing a digital transformation which would be every business leader in the world.

1. Be very cognizant of what data you collect and why

Just because you can don’t mean you should. This age-old truism could be directly applied to the rampant data collection most businesses engage with today. More IoT devices, cheap cloud storage and the insatiable need for data for #AI leads to an insatiable appetite for data. That should be the first port of call. Raise the bar and change the equation. What data are you collecting and why?

2. Use techniques to constantly categorize the data from the critical to the unimportant

This is frequently overlooked – partly due to #1 but also because lots of organizations don’t have a methodology in place for data classification and categorization. While this may not completely eliminate any possibility of data breach and ransom demands, it would allow for increased scrutiny of people and monetary resources applied to the highest value resources

3. Simulate D-day situations

This is probably the most unpleasant of tactics. Akin to those of us living in earthquake country and are urged to mimic what we would do when disaster struck – what would we grab first, what brace positions would we assume and where … For a business, having a game plan when a ransom demand threatening to reveal sensitive customer data hits would involve role-playing that exact scenario and see how the organization responds. Undoubtedly there will be chaos the first time. But learning from that initial meltdown and putting a framework in place that allows for choices to be exercised based on a variety of factors – human, financial, market, competitive – make a business much more agile, proactive and prepared.

While GDPR has done a world of good in exposing what data privacy really means, educating and empowering consumers regarding their rights and transformed the business leaders previously jaundiced views on regulations to be much more of a mainstream conversation. However, it has also provided similar education, empowerment, and transformation to the bad guys. And we need to realize that but not let that fear paralyze us but rather stoke us into proactive action. Then #GDPR will be a gift that will keep on giving for a long time.

Copyright © 2018 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline