It’s been more than a year since the European Union’s General Data Protection Regulation (GDPR) took effect and shifted the conversation around user privacy/information rights. In that span of time, we’ve already witnessed the new standard at work. Perhaps its most monumental show of force came in January 2019 when French data regulator CNIL fined Google 50 million euros for a breach of GDPR with respect to its advertising practices, as reported by BBC News.
Given such penalties, you would think that organizations who store EU citizens’ data, particularly those located in the European Union, would be increasing their security spending so that they’re not the next victim of a data breach. But new research from Thales reveals that’s not happening. At least not as much as it was.
In its 2019 Thales Data Threat Report European Edition, the multinational company found that the percentage of European IT decision makers (ITDMs) who expected their IT security spending to increase over the next year fell by nearly half from 72 percent in 2018 to 41 percent a year later. Thales also found that those predicting a decrease in their security spending doubled in 2019 18 percent. So too did the percentage of those who thought their spending would remain the same going forward (21 percent of ITDMs in 2018 compared to 42 percent in 2019).
These findings beg a question: what’s behind this diminishing momentum for EU organizations in their GDPR compliance efforts? Thales feels the answer is that many organizations are pursuing a gradual approach to their compliance efforts. As it writes in its report:
“…They have developed consistent data security and compliance processes in order to demonstrate readiness. However, these have often been developed on a manual basis, with plenty of scope remaining to achieve compliance on an automated basis. In other words, data security and GDPR compliance are yet to become operationalized into business-as-usual.”
That’s not to say these organizations don’t have plans for the future, however. Thales’ report found that just under half of firms covered under its study support various data security technologies. Those that don’t said they have plans to implement various new technologies in support of their digital security over the next year.
Among all other security measures, file encryption, database encryption and encryption in the cloud were at the top of organizations’ to-do lists going forward. Even more specifically, Thales found that encryption of data stored at the service provider (with keys managed by the provider) as well as support for hardware security modules (HSMs) were among organizations’ top concerns for their software-as-a-service (SaaS) deployments.
These worries are actually welcome news for encryption, as many organizations currently don’t implement encryption all that much. Indeed, Thales found that just 27 percent of European organizations use encryption to secure email messages, data at rest on PCs and info stored within data centers. There’s clearly an opportunity for more EU organizations to begin using encryption.
But it’s not that simple. When this other 63 percent of organizations embrace encryption within the coming year, they need to make sure they do it right. That includes making sure they have complete visibility over their new keys and certificates. This posture is imperative for detecting potential security incidents, foiling data breaches and complying not only with GDPR but also a range of other data protection regulations that emphasize the importance of maintaining a strong security posture for encryption.