Two Years Later: 3 Ways GDPR Has Affected Cybersecurity

  • By Maddie Rosenthal
  • 14 May 2020

This month we celebrate the two year anniversary of the General Data Protection Regulation (GDPR). While the road to compliance hasn’t been easy for organizations in Europe and beyond, it’s clear this benchmark legislation has been a step in the right direction for data rights, privacy, and protection. 

It’s also had a big impact on cybersecurity.

Not only is cybersecurity now considered business-critical – which is big news for an industry that has historically struggled to communicate its value and ROI – but we’ve seen incredible innovation in security solutions, too.

Read on to learn more about how GDPR has affected cybersecurity or, for more context around GDPR and its implications, read GDPR: 13 Most Asked Questions + Answers

1. Cybersecurity is now a business enabler 

While cybersecurity has historically been a siloed department, data privacy regulations and compliance standards like GDPR have helped prove the business value of a strong cybersecurity strategy. 

To start, cybersecurity solutions help organizations stay compliant by preventing data breaches. This isn’t trivial. While the fines under these new compliance standards are hefty (GDPR fines totaled nearly €50 million in the first quarter of 2020 alone), the implications of a breach extend far beyond regulatory penalties to include:

  • Lost data
  • Lost intellectual property
  • Revenue loss
  • Losing customers and/or their trust
  • Regulatory fines
  • Damaged reputation

It’s no surprise, then, that the UK’s cybersecurity sector has grown by 44% since GDPR was rolled out.

But, cybersecurity solutions don’t have to be limited to prevention or remediation. In fact, cybersecurity can actually enable businesses and become a unique selling point in and of itself. Now that data protection is top of mind, those organizations that are transparent about their policies and procedures will have a competitive advantage over those that aren’t and will gain credibility and trust from prospects and existing customers or clients. 

“You’re only going to win more work if you’re reputable. And you’re only going to be reputable if you demonstrate you have a strong information security framework.”
Mark Parr Global Director, HFW

2. IT leaders are engaging with (and depending on) employees more often

While cybersecurity teams are responsible for creating and implementing effective policies, procedures, and tech solutions, data protection is the responsibility of the entire organization. Why? Because data loss is a human problem with 88% of breaches being caused by human error, not cyberattacks.

The fact is, employees control business’ most sensitive systems and data, and one mistake – whether it’s a misdirected email or a misconfigured firewall – could have tremendous consequences. That means accountability is required company-wide in order to truly keep data secure and stay compliant. 

But, education is the first step in prevention which is why there’s express advice contained within the GDPR to train employees. Importantly, though, training has to actually cut through and stick, which means IT leaders are working hard to effectively communicate risks and responsibilities. Of course, anyone in a cybersecurity leadership position knows this is no easy task. 

The key is to ensure training is aligned to the individual business, starting with the people in it and their attitudes towards security. Not sure where to start? Watch Mark Lodgson, Head of Cyber Assurance and Oversight at Prudential, talk about how he measures cyber culture within his organization.

3. The DLP market is booming 

Post-GDPR, organizations are spending more than ever to protect their systems and data, and, unsurprisingly, one of the top spending priorities for IT leaders is data loss prevention (DLP).

While the DLP market is keeping up with demand (DLP market revenues are projected to double from $1.24 billion in 2019 to $2.28 by the end of 2023), data loss prevention remains a pain point for most senior executives because, well, most DLP solutions don’t work.

According to a new report from 451 Research “DLP technology has developed a reputation as much for inaccuracy, false positives, and poor performance as it has for protecting data.” The shortcomings of DLP solutions are reflected in the number of incidents of data loss and data exfiltration being reported, too, up 47% over the last two years.

The problem is that most DLP solutions rely on rules to detect and prevent incidents and most rules cannot effectively be managed by people. It’s too time consuming and complex to update them in tandem with evolving human relationships and compliance standards. But, there’s a better way: machine learning.

In fact, Tessian was recently recognized as a Cool Vendor in Gartner’s Cool Vendors in Cloud Office Security report. Why? Because, through a combination of machine intelligence, deep content inspection of email, and stateful mapping of human relationships, Tessian’s Human Layer Security Platform turns your email data into your biggest defense against email security threats. 

To learn more about how Tessian uses machine learning to prevent data loss on email, click here

What’s next?

GDPR is just the beginning and the CCPA enforcement date is looming. Are you prepared? Find out on our blog: 5 Things Every CISO Should Know About CCPA’s Impact on Their InfoSec Programs.

Maddie Rosenthal