GDPR is now law: are companies set to take a fall?

On the 25th May 2018, GDPR became a part of European law. However, far too many organisations are still struggling with compliance. The first large scale breach following the law coming into effect will demonstrate just how unprepared the industry is when it comes to their cybersecurity hygiene.

One key requirement of GDPR is the need to ensure data protection measures be implemented “by design and by default,” making it vital that privacy and security become ingrained in every element of IT infrastructure. As a result, software security is increasingly coming under scrutiny.

Developers, who once wrote all of their code from scratch, are now assembling 80 – 90% of every new software application from packaged bits of code borrowed from public sources.  While these components are instrumental in driving innovation and accelerating time to market, Sonatype’s research has found that 1 in 8 open source components downloaded in the UK contains a known security vulnerability.  While 58% of organisations have some form of policy in place to govern component quality and security, as many as 46% of people ignore those policies.  When it comes to cybersecurity hygiene within development practices, risk of breaches is significant.

Sonatype’s 2018 DevSecOps Community Survey of 2,076 IT professionals revealed that open source related breaches are up 55% year over year — impacting 1 in 3 of participant organisations. However, only this month, it was reported that 20% of UK companies are compliant with GDPR, placing them at risk of huge fines – up to £17 million, or 4% of global annual turnover, whichever is higher.

With GDPR in play, companies can take three steps to improve their cybersecurity hygiene:

First and foremost: identify what’s in their software – a sort of health check. This provides the opportunity to identify any vulnerabilities, update to safer component versions and ensure those versions are deployed into production environments.

Secondly: invest in training to help upskill teams. With developers outnumbering security professionals 100:1, security needs to become the responsibility of the whole team, not just a select few.  Security teams will never scale to the size of development teams, so new approaches toward training and guiding developers in secure coding practices are imperative.

Finally, businesses should look to utilise DevSecOps principles aimed at building in quality. In DevSecOps practices, governance and compliance guardrails must be embedded early and throughout the software development lifecycle, helping to dramatically mitigate risk.  When defects are flagged, developers are guided through remediation with automated intelligence that helps to identify safer component alternatives to use. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48%.

All three of these require a change in mindset, making it vital that businesses act now. It is still possible to make great strides in boosting application security, and quickly bring organisations up to speed and a step closer to GDPR compliance while dramatically reducing the risk of breaches.


By Derek Weeks, VP and DevOps Advocate, Sonatype

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.