The General Data ProtectionRegulation (GDPR) came into force five years ago and has generated a great deal of enthusiasm, particularly among data privacy advocates. Its influence on IT security, on the other hand, has only been mentioned in passing. Yet the GDPR has proven to be beneficial on several levels.
On May 25, 2018, the German General Data Protection Regulation (GDPR) became legally binding at European level. The primary tasks were to ensure the protection of personal data within the European Union and at the same time enable the free movement of data within the European single market. The principles of “privacy by design” and “privacy by default”, the mandatory role of a data protection officer in companies and public authorities and the “right to be forgotten” are the best-known elements of the laws.
However, improving IT security is not explicitly part of their catalog of tasks. Nevertheless, the implementation of the GDPR requirements has made a strong contribution compared to other laws. With this unintended effect, its introduction has prompted industry and companies to step up their efforts to improve data protection and security. These include:
System hardening for better attack defense
Data protection breaches mostly result from IT incidents. When the GDPR came into force, it became necessary to harden systems in order to protect them against external and internal attacks. Firewalls and intrusion detection systems, which recognize and block unwanted data traffic, are used in particular for front-end systems. Encryption technologies and multi-factor authentication have been established to harden back-end systems and make it more difficult for sensitive data to be spied on.
Data security for greater cyber resilience
With the prerequisites created, digital assets such as documents, files or videos can now be better protected against attacks, encryption by ransomware, theft and unauthorized access. The development of comprehensive defense-in-depth strategies for cyber resilience makes it possible to detect, ward off and eliminate system disruptions caused by cyber criminals at an early stage. The continuous review of access rights (authentication) and regular penetration tests, which check systems for their security measures and can thus uncover potential vulnerabilities, are also part of the far-reaching defense strategies.
Strict data separation for greater security
Due to the General Data Protection Regulation, professional data and applications must be strictly separated from private data. On the hardware side, concepts such as Bring Your Own Device(BYOD) or Corporate-Owned, Personally-Enabled(COPE) developed, which not only enabled ultra-mobile working, but also the use of a single communication device for all purposes. Thanks to new software technologies such as containerization, private and professional data could be strictly separated from each other on the devices so that these concepts could be implemented securely and, above all, in compliance with GDPR.
Stricter compliance rules for greater awareness
The GDPR not only had an impact on IT security on the technical side, it also triggered changes at the procedural level. The stricter rules mean that companies are forced to constantly review and adapt internal processes so that they remain GDPR-compliant. Due to the tightening of compliance rules, new methods, processes and tools had to be developed. For example, development and IT operations (DevOps) and security operations (SecOps) have emerged. Regular data protection audits and awareness-raising measures for employees are typical examples of the tightening of compliance rules.
The introduction of the General Data Protection Regulation has had a positive impact on IT security. In addition to technical and organizational progress, it has contributed in particular to raising awareness of security issues among companies and employees.