Image: Derek Gavey Image: Derek Gavey

Akamai Technologies, Inc. the cloud delivery platform, has alerted organisations across Europe that failure to take a risk-based approach to handling personal data could lead to a lack of compliance – and heavy fines – with the upcoming General Data Protection Regulation (GDPR).

With four months until GDPR comes into force, businesses must adopt appropriate security protocols – and be able to demonstrate that these have been followed, should a data breach take place. The advice – part of Akamai’s latest whitepaper, Evidence-based protection of web resources – highlights the need for organisations to start conducting a thorough analysis of their systems to understand the full extent of where their risks lie and ensure their compliance. Akamai has recognised that what constitutes “appropriate” security measures is open to interpretation.

Urging companies to follow industry best practice in order to protect customer data and ensure the Data Protection Authority (DPA) has all the information it needs, Gerhard Giese, Manager Enterprise Security Architects, Akamai Technologies said:

“Organisations are stuck between a rock and a hard place. While GDPR is open to interpretation, businesses need to take action now, before it comes into force. Failing to have sufficient proof that they have taken appropriate measures to protect the personal data they are processing and to mitigate the risks associated with their data processing activities could result in hefty fines. In the event of a breach, the burden is on the organisation to prove that it the measures it took were appropriate. There isn’t anywhere to hide anymore.”

Compliance no small feat

Akamai’s whitepaper highlights that, should businesses have to defend the robustness of their risk-based security strategies, their arguments might not be as sound as they need to be. Not availing themselves of the latest technologies or relying on their own limited knowledge of the rapidly evolving threat landscape could leave authorities questioning just how “risk-based” their approach really was.

Giese continues: “Many companies are still using technologies that leave them more vulnerable to an attack than they need to be – whether that’s opening up VPN vulnerabilities by allowing unnecessary access to the corporate network or choosing security solutions that are simply less effective. Others are limited in their ability to react to issues, taking longer than is necessary to spot threats or implement solutions to protect their web properties against them. Businesses should take a long, hard look at their security solutions and ask themselves, ‘is there a better way to protect the personal data we are processing?’ If there’s a simple, practical solution that they haven’t implemented, they should consider whether they can really claim that they mitigated the risk as required.”

Localisation is also adding complexity to the compliance requirements, resulting in businesses finding themselves obliged to achieve compliance with local requirements in multiple countries across the world. As countries update their privacy laws, global businesses will have to respond accordingly. While there are similarities, the individual nuances are making it more difficult for businesses to prove compliance with each of the individual regulations.

Steps to proving GDPR Compliance

Akamai is suggesting four steps that businesses can start to implement now in order to demonstrate to the Data Protection Authority (DPA) that an adequate risk-based approach has been taken in regards to protection of web properties:

Learn from others’ failure

If a business waits until it’s attacked before responding to a new threat, it’s much less likely to successfully defend against it. Security providers that protect companies all around the world are able to spot threats early in one location and apply their learnings to all their other customers before an attack can strike.

Maintain and document web application firewall rules

In the event of a security breach, the DPA will require evidence outlining what steps were taken to minimise the impact. So for web properties, demonstrating that the business has an effective application firewall in place that has been constantly updated to respond to the ever-changing threat landscape is a priority.

Control access of third parties to personal data

Providing third parties access to networks is a business necessity; however, this access can put both personal data and general security at risk. Therefore, ensuring that there’s a system in place that can both track access to these networks and also mitigate the risk of unauthorised access, is a must if businesses want to be able to compile evidence for the DPA of risk mitigation measures.

Create a buffer between your network and potential threats

If a business’ first line of defence is at the perimeter of its network, then the threat is already too close for comfort. Putting a buffer, such as a Content Delivery Network, between a company’s own infrastructure and any potential bad actors, can help ensure that threats are detected before they become an issue – as well as enabling the organisation to route traffic around Denial of Service attacks.

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at