GDPR applies to every business and customer. If a business does not comply, the fines and the reputational damage can be crippling. Dr. Guy Bunker discusses what could happen to organizations if the regulation is used maliciously.
It’s estimated that 75% of employees will exercise their right to erasure now that GDPR (General Data Protection Regulation) has come into full effect. However, less than half of organizations believe that they would be able to handle a ‘right to be forgottenOpens a new window ‘ (RTBF) request without any impact on day-to-day business.
These findings highlight the underlying issues we’re seeing in the post-GDPR era and how the new regulations put businesses at risk of being non-compliant. What is also worrying is that there are wider repercussions for organizations not being prepared to handle RTBF requests.
No matter how well a business is conducted, there is always the possibility of someone who holds a grudge against the company and wants to disrupt daily operations. One way to do this, without resorting to a standard cyber-attack, is through inundating an organization with RTBF requests. Especially when the company struggles to complete one request, this can drain a company’s resources and grind the business to a halt. In addition to this, failing to comply with the requests promptly can result in a non-compliance issue – a double whammy.
An unfortunate consequence of the new GDPR regulations is that the right to erasure is free to submit, meaning it is more likely for customers or those with a grudge will request to have their data removed. There are two ways this can be requested. The first is a simple opt-out, to remove the name – usually an email address – from marketing campaigns. The other is more time-consuming, complex discovery and removal of all applicable data. It is this second type of request where there is a potential for hacktivists, be-grudged customers, or other cyber-attackers to weaponize the regulatory requirement.
One RTBF request is relatively easy to handle – as long as the company knows where its data is stored of course – and the organization has a month to complete the request from the day it was received. However, if a company is inundated with requests coming in on the same or consecutive days, it becomes difficult to manage and has the potential to impact daily operations heavily.
This kind of attack is comparable to Distributed Denial of Service (DDoS) attacks – for example the attack on the UK National Lottery last yearOpens a new window which saw its entire online and mobile capabilities knocked out for hours because cybercriminals flooded the site with traffic – with companies becoming overloaded with so many requests that they had to stop their services entirely. When preparing for a flood of RTBF requests, it is essential that all organizations have a plan in place that streamlines processes for discovery and deletion of customer data, making it as easy as possible to complete multiple requests simultaneously.
Strengthen the Weakest LinkThe first thing to consider is whether or not the workforce is aware of what to do should an RTBF request come in (let alone hundreds). Educating all employees on what to do should a request be made – including who in the company to notify and how to respond to the request – is essential in guaranteeing an organization is prepared.
It will mean that any RTBF request is dealt with both correctly and promptly. The process must also have clearly defined responsibilities and actions able to be audited. For companies with a DPO (Data Protection Officer) or someone who fulfills that role, this is the place to begin this process.
Defense in Data DiscoveryThe key to efficiency in responding to RTBF requests is discovering the data. This means the team responsible for the completion of requests is fully aware of where all the data for the organization is stored. Therefore, a complete list of where the data can be found – and how to find it – is crucial.
While data in structured storage, such as a database or email is relatively simple to locate and action, it is the unstructured data, such as reports and files, that’s difficult to find – making it the biggest culprit of draining time and resources.
Running a ‘data discovery’ exercise is invaluable in helping organizations achieve an awareness of where data is located, as it finds data on every system and device from laptops and workstations to servers and cloud drives. Only when you know where all critical data is located, can a team assess its ability to delete it and, where applicable, remove all traces of a customer.
Repeating the exercise will highlight any gaps and help indicate where additional tools may be required to address the request. Data-At-Rest scanning is frequently found as one part of a Data Loss Prevention (DLP) solution.
Stray Data – a Ticking Time BombKnowing where data is stored within the organization isn’t the end of the journey, however. The constant sharing of information with partners and suppliers also has to be taken into account – and for this, understanding the data flow into and out of the company is important. Shared responsibility clauses within GDPR rules means that all partners involved with critical data are liable should a breach happen or an RTBF request cannot be completed.
If critical data sitting with a partner is not tracked by the company that received the RTBF request, it makes it impossible to complete it truly, and the organization could face fines of up to 20 million EUR (or 4% of their global turnover). Therefore, it’s even more important to know how and where critical data is moving at all times, minimizing the sharing of information to only those who need to know.
While there is no silver bullet to prevent stray data, there are some technologies which can help to control the data which is sent both in and out of a company. Implementing automated solutions, such as Adaptive Redaction and document sanitization, will ensure that no recipient receives unauthorized critical data. This will build a level of confidence around the security of critical data for both the organization and the customer.
With the proper processes and technologies in place, dealing with RTBF requests is a straightforward process, whether it is a legitimate request, or an attempt by hacktivists or disgruntled customers to wreak havoc on an organization. Streamlining data discovery processes and controlling the data flowing in and out of the company will be integral in allowing a business to complete an RTBF request and ultimately defend the organization against malicious use of GDPR.