Shulou(Shulou.com)06/01 Report--

The European Union's new data protection law GDPR (General Data Protection Regulation, General data Protection regulations) has come into effect recently. Although the regulation was officially introduced two years ago and provides a two-year grace period, companies are generally slow to move. Most companies rush to send a large number of emails and messages just before the last minute to solicit clear consent from users. This makes us wonder: can GDPR compliance really be equated with safety?

The Office of the Information Commission (ICO), the UK's data protection regulator, said that as the GDPR deadline approached, the site had suffered "multiple interruptions".

Brussels firmly believes that GDPR will become a global benchmark for protecting people's online information security, especially in the wake of the Facebook data collection scandal.

The EU Justice Commissioner Vera Jourova said the new law would allow Europeans to regain control of their data. Today's personal data security is like floating nudity in an aquarium.

Companies that violate the GDPR will face fines of up to 20 million euros ($24 million) or 4 per cent of global annual revenue. Another reference figure is that the EU market has a full population of 500 million.

The user's express consent is required.

The key rule of GDPR is that individuals must be explicitly given permission to use the data. It also stipulates that consumers have the "right to know" about the information processor and the purpose of the information.

People can prevent data from being processed for commercial reasons and even delete their own data in accordance with the "right to be forgotten" requirements. According to different regulations in different countries, parents will make decisions to process the data for teenagers under the age of 13 to 16.

Is GDPR a global standard?

Large platforms such as Facebook, WhatsApp and Twitter seem ready for the new rules, while small companies seem hesitant to express their concerns to the outside world.

EU officials say that at first GDPR was only aimed at large companies, because their business model uses important personal information for advertising purposes, and GDPR will allow more time for small businesses to adapt. Many Americans have just begun to criticize Europe for imposing regulatory constraints on the new engine of the global economy too soon, and now they see the need for GDPR. A US university professor says that, at least in the US, companies have begun to adopt some versions of GDPR quickly. The EU also said Japan, South Korea, India and Thailand were also discussing the need to enact similar laws.

Although GDPR compliance is a milestone in the history of security, it is worth reminding that compliance is not the same as security. The standards enhancements included in GDPR certainly bring benefits, just like the safety standards proposed by PCI DSS, HIPAA and other regulatory bodies. But beyond the circle of security or regulatory agencies, achieving and maintaining compliance should never be the ultimate goal of any security plan.

Compliance does not guarantee safety

It is important to bear in mind that many of the data breaches disclosed in recent years have occurred in compliant companies. This means, for example, that PCI compliance cannot prevent a large number of retailers, financial services institutions and Internet providers from being compromised, just as a large number of HIPAA-compliant organizations suffered from health care data attacks in 2016.

Compliance standards are not comprehensive

In fact, this trend of attacks on compliance companies reinforces the question of how compliance standards should be operated and viewed: they provide insight into the cornerstones of security plans but are inadequate. The most effective security plan considers compliance to be a relatively small component of a comprehensive security strategy.

While many compliance standards do provide valuable guidance, such as in the areas of data storage, user privacy and event disclosure, they do not address issues in more and more important areas. Security awareness, business continuity and penetration testing, employee education, and technical and policy controls are just a few examples. This is why it is necessary to look at things other than compliance when assessing third-party risks and conducting due diligence on potential vendors. Indeed, the security posture of an enterprise cannot be fully reflected by compliance information, which is only a small part of it.

For example, not all compliance agencies that implement data storage standards enforce encryption mechanisms. HIPPAA specifically recommends encryption, but does not require encryption of PHI that is stored electronically. Just because the manufacturer of an electronic medical record system complies with the HIPAA does not assume that it encrypts PHI information. The same is true of GDPR, which strongly encourages encryption of user data and punishes companies that fail to effectively protect user data, but it does not enforce encryption. This trend is no different from the standards proposed by a number of other compliance agencies.

Threats evolve faster than compliance standards

Opponents, whether they are finding new ways to identify 0day vulnerabilities or bypassing the latest anti-fraud control mechanisms, are constantly changing their tactics, techniques and procedures (TTPs) and ultimate threats. These rapid changes are the reason why getting ahead of your competitors requires a dynamic iterative security approach.

However, there is a significant difference between this approach and the static compliance nature of compliance standards and their compliance-centric security plans. HIPAA has not revised its security requirements since it issued "security regulations" in 2003, although a large number of data leaks and extortion attacks have since attacked the healthcare industry and captured the PHI of millions of people. Although the PCI standard is updated more frequently, it is far from being compared with the pace of evolution of the threat situation. For example, while the implementation of EMV chip technology has helped reduce payment card fraud, many other types of fraud, such as gift card fraud, identity theft, and tax fraud, are on the rise.

While compliance standards should but can only be part of a broader security strategy, achieving and maintaining compliance remains a burdensome and resource-intensive process. For many organizations, strict deadlines, complex implementations, and high non-compliance departure factors make them think that adopting a compliance-centric security approach seems to be a reasonable and correct decision. But it is worth remembering that while many compliance standards do offer significant security benefits that are clearly visible, they are not yet comprehensive or flexible enough to be the only focus of an effective security plan.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.