Businesses Confused by “State of the Art” GDPR Tech Requirement

GDPR is coming. Rapidly, as it so happens, and at the time of writing there is just over 6 months to go until the 25th May 2018 deadline for compliance. Since the GDPR was adopted by the EU in 2016, businesses have been trying their best to understand the impending data protection regulation and, ultimately, ensure they are compliant. The GDPR is no straight-forward matter, though, as much of the phrasing is purposely vague to allow for possible technological advances, and to ensure that the regulation itself does not become obsolete in the near future. The idea is that if the GDPR specified which technologies were to be employed by a business in order to safeguard its data, it may be superseded by new technologies – thus reducing the effectiveness of the regulation. A key GDPR requirement, under Article 32, states that data controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing”. But what exactly does state of the art mean?

The EU has specifically worded some GDPR requirements in a vague manner, to ‘future-proof’ them from technological advances

If you’re confused, you’re not alone. As the regulation deadline looms closer, the EU Working Party has been working to clarify the practical applications of the new laws, but has yet to give solid clarification on the GDPR requirement for technical measures. Recently, a survey of over 1000 IT decision makers was completed by international cyber security giant Trend Micro, which sought to assess their understanding and interpretation around what “state of the art” technology entails. The results showed that businesses have quite varied ideas of what they believed would meet the criteria.

• 30% of businesses defined it as buying security from an established market leader
• 17% defined it as using products that pass independent, 3rd party tests
• 16% believed it referred to products that are highly rated by analysts
• 14% thought it covered start-ups providing innovative technology
• 12% were more concerned with the potential cost than the specific GDPR requirement
• 9% were unable to provide any definition at all

“There are many hurdles for businesses to overcome in establishing GDPR compliance – trying to demystify what ‘State of the Art’ means is but another challenge on the list,” According to Rik Ferguson, Trend Micro’s vice president of security research. “Regulatory enforcement bodies should offer further clarification on what ‘State of the Art’ means, so businesses can ensure they’re not stepping into a fine once May 2018 arrives.”

In addition to asking businesses what they thought state of the art meant, the survey also asked these businesses what measures they were actively undertaking in order to meet the GDPR requirement.

• 34% were investing in network-layer security to spot intruders
• 33% were focusing on data loss prevention (DLP)
• 31% thought encryption was the best way to go

Ultimately, however, many businesses seemed to be opting for a single-facet approach, instead of the comprehensive and layered approach that modern cyber security standards require. Until the EU or the Working Party comes out and clarifies exactly what will equate to a pass or fail come 2018, businesses must do their best to prepare their defenses in order to meet the regulation. Our advice (which is not legal advice, by the way) is always to look to current industry best/good practice guidelines and ensure that your approach is thorough and well documented. While the maximum fine for a data breach under GDPR will be €20 million (or 4% of gross turnover, whichever is higher), the EU have stated that they will take into account the individual circumstances and how prepared a business was for such an incident.

Let’s take an example – two companies each suffer a data breach. Company A employed next-generation antivirus and firewalls, trained their staff in cyber security awareness and data protection, ensured all their PCs were regularly patched, backed up up their data both locally and offsite, and had a thorough process to review and document their cyber security framework. Company B used the same traditional antivirus for the past 10 years, trained only their accountancy staff in data protection several years ago, had no backups, and only patched their PCs sporadically. The governing data protection authority for these two companies would hand down a drastically higher fine for Company B, as their attempts to meet the technological GDPR requirement could not be considered even remotely “state of the art”, whereas Company A would receive a reduced fine as they closely followed industry best practice.

So, in short, even if you don’t know exactly what the GDPR is asking of you at the moment, it’s possible to construct an educated guess and take relevant steps towards compliance. Still confused? We offer cyber security services and consultations for businesses to help them bring their cyber security up to scratch, whether they seek to be GDPR compliant, or just want to show their customers that they take their data and security seriously. There’s no time to lose.