Virginie Hollebecque, Vice President and Head of Regional Business for EMEA at Ciena: It’s been two years since the European General Data Protection Regulation, or GDPR for short, came into force in Europe, marking an important milestone for how organizations can collect, store, and use data – and especially customers’ Personally Identifiable Information (PII). At the time, there was lots of fear, uncertainty, and doubt about the new regulations, with every headline boldly announcing fines of up to €20 million or 4% of a company’s annual turnover. It was enough to get everyone’s attention. 

Two years on, we are seeing some major security breaches and regulatory fines being reported in the press, are organizations are still unsure if they’re doing enough on data protection? 

Raffi Varoujian: At the beginning there was a lot of uncertainty, but it’s also worth reflecting that the huge regulatory fines making the headlines are reserved for the most persistent and egregious offenders. Having said that, for any organization uncertain about the GDPR, it’s very important to understand the potential non-compliance risks for your specific business, and to have an adequate compliance plan in place that you improve continually, based on recommended best practices for data protection. 

If you don’t have a suitable plan in place, you increase your chances of a breach, and regulatory fines average around €65,000 for first time offenders, which is a very substantial figure for many businesses. If you deal with hundreds or thousands of customer records, having an effective, mature GDPR-compliant strategy in place is even more important as this kind of data is considered sensitive information under the regime. 

Virginie: What are the most common causes of GDPR-non-compliance? 

Raffi: A few notable examples we’ve seen fines given for recently are:

• Not being transparent enough with data privacy notices meaning a company did not have enough information on its website about how data it was collecting was going to be used and using obscure and confusing language in its data notices.
• Going through an acquisition of a company with a different data privacy regime that was much less stringent and the regulator assigning full responsibility to the acquirer
• Hackers setting up a spoof website harvesting personal information where the company had not done enough on security to prevent it from happening

To help you build a strong GDPR-compliance strategy, it’s definitely worth learning from the different types of data breaches and malpractice that are being sanctioned by the regulator and updating your strategy accordingly.

Virginie: But isn’t the GDPR just for Europe? If I’m in another region, why should I be interested?

Raffi: Two years ago many data protection officers and others in the EU were wondering whether the rest of the world will take the GDPR seriously. In some cases, companies were not concerned about it, but that has all changed now.

The GDPR has become a catalyst for countries around the world who are looking to beef up their data privacy regulations. It has formed the basis for a range of regional data regulations, including the California Consumer Protection Act (CCPA), with similar legislation planned or recently implemented in Brazil, India, Russia, Singapore, Japan, the Middle East, and elsewhere. There will obviously be some local variations in the regulations, but the central philosophy and principles of the GDPR are very likely to remain and predominate.

Virginie: It’s also worth reflecting on how organizations’ digital transformation initiatives are impacting their GDPR compliance. You might assume that digital transformation is about making data and processes safer and more automated, but many of the newer technologies being deployed in corporate networking and IT environments can also increase the attack surface for hackers who are interested in stealing sensitive operational and customer data. Cloud computing, edge computing, 5G, and the huge proliferation of network-connected devices that form the foundation for IoT can potentially increase the network or IT attack surface. 

As a trusted partner, Ciena’s security capabilities stem from our commitment to secure our business: from protecting our own information assets and those of our partners, to delivering solutions with confidence in the processes and controls that go into the design, deployment and operation of a Ciena-enabled network.  Ciena’s Adaptive Network^TM can help you minimize risk and support GDPR compliance with comprehensive solutions that ensure the confidentiality, integrity and availability of data in the network:

• CONFIDENTIALITY: To ensure data remains private and secure, our WaveLogic Encryption solutions encrypt all in-flight data end-to-end, with essentially no increase in latency, ensuring that your data is protected based on the highest security cryptography standards available.

• INTEGRITY: As a long-term supplier of carrier-grade networking solutions, Ciena’s established best-practices and controls throughout the entire product development cycle ensure that data traversing a Ciena network is free from unauthorized modifications, so that it arrives to its destination in the exact state that it was sent. 

• AVAILABILITY: The availability of applications and data is ensured by providing an ultra-high reliable infrastructure, that minimizes downtime, with a full range of protection/restoration mechanisms including fully redundant hardware, a centralized-switched architecture, and multi-layer (L0/L1) control plane for automated, near-real-time restoration. 

Raffi: All of these should be seriously considered as part of a holistic security strategy. Without proper consideration of end-to-end data security, it’s possible that the ad hoc connection of more hardware and software to a network could create new vulnerabilities that can be exposed and/or exploited by hackers. 

Virginie: Thanks for your insights Raffi. The GDPR certainly sets the standard and outlines why having a comprehensive security strategy is essential. Compliance embeds security consciousness across the fabric of your entire organization. It also minimizes the attack surface of your network and prepares your people and infrastructure for future regulatory requirements.

This article is part of a series of posts, originally on LinkedIn, in which Virginie Hollebecque speaks to Ciena experts to address some common themes being raised by our customers. The other articles in the series are:

• Beyond technology - people, diversification, and resilience
• Network modernization’s role in making a digital transformation vision a reality