GDPR: Cybersecurity Lessons Learned

Nov 26, '18 by Joerg Schneider-Simon

It may be hard to believe, but six months have passed since the GDPR deadline. During that time, companies (including bowbridge) contacted their lists, seeking active consent to continue sending them information. GDPR opt-in emails were so ubiquitous, they even became the subject of celebrity-generated Twitter memes.


Now that the dust has settled on GDPR, companies can sit back, take a breather (many of them while mourning a drastically trimmed-down email list), and reflect on what the entire exercise taught them about data privacy and cybersecurity.

Here are some of our takeaways:

The Stakes Are Even Higher Now

We’ve seen multiple high-profile data breaches over the years, like those that hit Equifax and Target.  It’s bad enough for this to happen to consumers who gave implied consent to collect and store their data. But if a company has gone to considerable effort to gain explicit consent, and then doesn’t protect that data? That’s a serious betrayal of trust whose reverberations could very well threaten the future of the company.

Because consumers are now keeping a closer eye on who has their data, organizations need to be particularly vigilant when protecting themselves from data theft, data hacking, and data integrity attacks. 

Having the Right Team Is Vital

GDPR brought together organizations’ legal teams, IT teams, marketing teams, and more, all working together to implement and communicate a complex data collection and retention policy. Companies without strong players in these departments soon found themselves struggling to plan, develop, and execute their GDPR strategy.

Unfortunately, many companies likely found themselves short-handed when they turned to the IT department, due to the well-publicized cybersecurity skills shortage. Finding SAP cybersecurity experts to develop a GDPR strategy for SAP was an even taller order.

This issue highlighted the dire need for cybersecurity professionals in the field, not only to manage the nuts and bolts of data privacy policies, but also to execute on these policies and ensure that the data actually stays protected.

Get Ready for the Digital Economy

Thomas Saueressig, the CIO of SAP, had this to say about how businesses need to make their data management lean and efficient in order to keep up:

Our GDPR compliance journey has confirmed our belief that transforming the way you handle data and manage risk and compliance is a catalyst to getting your business in better shape for the digital economy. SAP’s growth has been both organic and through acquisitions, and our next challenge is the centralization of personal data from multiple line of business systems into a single central system. This will remove duplication, increase data processing efficiency, and limit our exposure to data privacy risk.

Centralizing data and improving integrations between systems will make it easier to ensure that all data is being correctly managed and guarded, so that nobody slips through the cracks into a less-protected state.

Know Where Data Resides

Centralizing data is important, but it may not always be possible. Many organizations who use SAP do not fully realize that the file data stored by SAP is not stored in traditional disk file systems. Instead, it is stored in the SAP database or in an SAP-proprietary data repository.

The end result: OS-level cybersecurity software is completely unable to protect SAP systems and data.

Because of this, organizations who use SAP must take the extra step of ensuring that their SAP data storage is at least as well-protected from cyberattack as their other databases.

GDPR put the world’s focus on data protection like never before. Learn how the City of Essen used bowbridge SAP cybersecurity solutions to protect their vital data from cyberattack.

bowbridge helps secure the City of Essen's data and systems from cyberattack. Read the case study.