The risks of non-compliance are serious, follow this GDPR action plan to avoid disaster
The number of successful data breaches on companies of all sizes has been growing in recent years and so has the potential price. The average cost of a data breach globally is $3.6 million, according to the 2017 Cost of Data Breach Study by the Ponemon Institute. Because of grave concerns about how businesses are handling data the EU parliament drew up a new set of regulations that could increase that cost further.
The General Data Protection Regulation (GDPR) comes into force May 25. It lays out a strict set of requirements on how companies should process, store, and secure the personal data of EU citizens. Infringements can trigger fines of up to 20 million euros (around $24.6 million) or 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Despite the risks, only 21 percent of U.S. firms are concerned about GDPR and have a plan in place, according to a Hytrust survey. That means many organizations may be in for a rude awakening.
Preparing for the GDPR is disruptive. This is a wide-ranging set of requirements, covering individuals’ rights to data access, protection and notification procedures, and transparency about your data handling and usage. It impacts everyone from the CIO to the CSO to every team, vendor, or employee who interacts with a customer or their data.
To prepare for GDPR properly you need to enact stricter controls on how you use and store data, new governance policies to protect that data in-transit and in storage, and fresh data policies that meet your legal obligations concerning interactions and responses to data access requests and breaches.
A Practical Action Plan
While the task may be daunting, it’s not insurmountable. There are lots of straightforward steps you can take to prepare in a methodical way.
You can’t get started without a complete map of all the customer data you possess, so begin by discovering and classifying all the data you collect. You need to identify critical data and question the reasoning behind collecting it to ensure that it’s justified from a business perspective. Make sure you understand what and where all the data is before you look at how to protect it. Appoint a data protection officer to be responsible for that data.
It’s crucial to make privacy a default position, encrypt sensitive data at all times, and to employ security controls capable of ensuring the confidentiality, integrity and availability of personal data. You must be able to detect and respond to data breaches in a timely manner. The only way you can be confident about your actions is to put regular, stringent testing of all your security measures in place.
Building a Framework for Success
We can boil protection down to five key ideas that can be used to map technical controls:
- Auditing Personal Data Processing Systems: Ensuring that all user and admin activities in personal data processing systems are traceable at all times.
- Monitoring Personal Data Processing Systems: Ensure they are safe from software vulnerabilities.
- Personal Data Access Controls: Ensure that access to systems storing or processing personal data is restricted to only users or programs that need it.
- Personal Data Security Controls: Monitoring configuration settings for systems storing or processing personal data to prevent breaches and disclosure.
- Personal Data Transfer Security: Monitoring usage of encryption and network configuration to detect and/or prevent unauthorized transfers of personal data.
Remember that it’s not enough to ensure your own organization is compliant, you also need to consider the vendors you worth with. Protecting the data properly means protecting all your operating systems, all your servers, all your assets, be they on-premises or in the cloud. Build a holistic view, identify where you’re falling short, remediate swiftly and test again.
Engaging a third-party to assess your readiness, identify weaknesses and provide tangible, practical advice on mitigation is vital.
But compliance checks aren’t something you can do once, then forget about – you need to run them daily, hourly, or even more frequently depending on your business. Ideally, you should integrate checks into your DevOps pipeline and automate them, so you can be confident that your business is GDPR-compliant at all times.
There’s no doubt that the new regulations are onerous, but they also provide positive motivation for companies to improve their data handling and, ultimately, that’s good for both the business and its customers.