Cyber Crime Undermines Data Privacy Efforts – On the Balance Between Data Privacy and Security

The General Data Protection Regulation (GDPR) was put into effect in the European Union on 25th May 2018. GDPR aims to ensure the protection of personal data from individuals and the free movement of this personal data. Data privacy regulations are also currently being discussed nationwide in the United States of America and other countries. Regular guidelines of the European data protection board (edpb) support the technical GDPR implementation. However, cyber aggressors are increasingly succeeding in penetrating IT systems, e.g., by combining traditional ransomware techniques with data exfiltration. In this paper we address the trade-off between data protection as presumably regulated by the GDPR and the security implications of a hard and fast privacy enforcement. We argue that a too strict interpretation of the rules of data protection in the wrong place can even provoke the very reverse of data protection. The origin of our examination is to classify data in two GDPR relevant categoriespersonal data(e.g., personal files of customers and company personal) andIT operational data(e.g. log files, IP addresses, NetFlow data), respectively. We then give a plea to strictly protect data of the first category and to handle the GDPR pragmatically with respect to the second one. To support our position we consider sample popular network protocols and show that it is low-threshold to exploit these protocols for data exfiltration, while the defender is only able to detect the attack on base of IT operational data. We hence emphasize the need for a new paradigm of risk assessment.