The new year ushers in many new opportunities and threats, some known, some unknown. The European Union’s General Data Protection Regulation (GDPR) is a known entity that will have a significant impact on organizations around the world. But despite a two-year lead time, a recent IDC survey of small and midsized European companies found that 22 percent of respondents didn’t even know what GDPR was. Of the companies that were aware of it, 1 in 5 had not begun preparing for it.
Even more alarming, the Compliance, Governance and Oversight Council reported that only 6 percent of 132 compliance officer respondents worldwide feel their organizations are currently GDPR-compliant. Lack of compliance brings significant risk, but organizations first need to know what GDPR requires to comply. Below is an overview of the regulation, along with what companies can do to make sure they are prepared for the May 25 effective date.
GDPR and its Repercussions
The goal of the GDPR is to unify data security, retention and governance legislation across EU member states to protect its population’s data. The regulation’s official site calls it “the most important change in data privacy regulation in 20 years.” All companies with more than 250 employees that process the personal data of people residing in the EU, regardless of the company’s location, must comply.
This regulation requires greater oversight for the storage and transmission of sensitive data such as personal, banking, health and credit card information. Most organizations will need to appoint a data privacy officer who reports to a regional authority, as well. EU residents have new rights, including data portability, the right to be forgotten (erasure) and to be notified within 72 hours of the discovery of a data breach.
Non-compliance risks stiff penalties. Organizations can be fined up to 4 percent of annual global revenue or €20 million, whichever is greater. It’s important to understand that these rules apply to both controllers and processors, which means clouds will not be exempt.
This means that data breaches even more costly. A hacktivist or other malicious actor could, in addition to breaching your network and stealing data, with all those associated financial and reputation costs, leave you susceptible to additional fines imposed by the new regulation.
General guidelines to get ready for the GDPR include:
- Appoint a data protection officer (DPO) to lead the task force to address GDPR compliance challenges;
- Determine your responsibilities under GDPR;
- Establish a security and risk management framework and adopt all controls or provide a risk-based rationale that takes Privacy as a first principle into account for exclusion;
- Establish and maintain an internal framework for accountability;
- Draft a mission statement and goals that treat citizen privacy as a first principle;
- Update PII and privileged information definitions;
- Review personal data processing operations and evaluate cross-border data flow compliance;
- Institute a comprehensive central business registration and documentation of data processing activities; and
- Seek legal advice in the pursuit of risk-based, timely compliance decisions.
Furthermore, complete these four security-specific tasks.
Invest in a front-to-back, complete cybersecurity infrastructure
- Consider using endpoint detection and response (EDR), an emerging technology. It is a category of tools and solutions that focus on detecting, investigating and mitigating suspicious activities and issues on hosts and endpoints.
- Consider using network behavior anomaly detection (NBAD)—the real-time monitoring of a network for any unusual activity, trends or events.
- Look at cloud, app and DB behavior
- Reduce the attack surface with patching and configuration control
- Segment networks and reduce single points of failure
- Reduce access scope and rights
- Build resilience
- Move away from fetishizing “the wall”; the perimeter no longer exists
Pay attention to IT security hygiene, communications, processes and risk management
- Review all existing contracts with data processors (cloud providers, SaaS vendors or payroll service providers) and customers. New contracts need to clearly define rights and responsibilities. They also need to define consistent processes for how data is managed and protected, and how breaches are reported.
- Rethink processes and the relevance of the data you hold. Much of the data you are holding onto can be purged. It takes up valuable space at best and may pose an unnecessary GDPR risk at worst.
- Because there is a 72-hour reporting window now for breaches, business leaders, IT and security teams need to clearly map out how data is stored and processed and agree on a compliant process for reporting.
- Conduct crisis and contingency planning and testing. Preparedness is key, so build in resilience and be prepared for the worst. Then test the system and look for weaknesses.
- Get the basics right. Understand your data and where it is. Don’t panic but take it seriously.
Make sure employees know cybersecurity and privacy best practices
- Understand that hackers are targeting you constantly.
- Make sure your software is up to date.
- Look out for suspicious emails and calls to obtain your information (phishing).
- Use caution when clicking links online and in emails.
- Choose strong passwords and password management practices and solutions.
- Keep sensitive data secure and off your laptops and mobile devices.
- Don’t leave your devices unattended.
- Always back up your data in case of a ransomware attack.
- Make sure your antivirus is up to date.
Enable the very basic security mechanisms and protocols for all individuals with access to the network, such as firewalls and antivirus software, at the user level
A Worthy Cause
Regardless of hether you are prepared for it, the GDPR takes effect May 25. You can be ready for it by using the above information and recommendations to make sure that the right people, technology and processes are in place. While compliance tends to become the focus of the GDPR, remember that its underlying principle is data privacy and security. That’s a cause that everyone, including both your organization and your customers, can get behind.