Because, the times, they are a’ changin’ for data management
Companies and organizations across the world better get ready. Fast. Because the EU’s new General Data Protection Regulation (GDPR) comes into force on 25th May, and it’s a game-changer for the way they collect, store, and use customer data. It’s designed to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy.” Failure to prepare could have serious consequences. Yet, Gartner estimated that over 50% of affected companies won’t be fully prepared by the end of 2018 – seven months after GDPR begins.
Data security is an escalating issue. More data was lost or stolen in the first half of 2017 than throughout the whole of 2016. That’s 1.9 billion data records, amounting to 10.4 million lost records daily. And, as data privacy has recently come under further intense scrutiny since the revelations about Facebook and Cambridge Analytics, the GDPR’s implementation is very timely.
But is it good news or bad? And how can organizations be sure they’re ready?
Is it good or bad news?
The new regulations require big changes in the ways organizations manage and share data. A recent estimate suggests that UK FTSE 350 companies have sunk $1.1bn into preparations for GDPR, and this is dwarfed by the US Fortune 500, which is estimated to have spent $7.8bn. As the costs of non-compliance could be high (up to 4% of annual global turnover or €20 million, whichever is greater), so their investment is both worthwhile and necessary.
This doesn’t mean that GDPR is just a costly piece of bureaucracy. On the contrary, here at Allot, we welcome this move to clearly define the responsibilities of organizations and to strengthen their diligence when managing data. We ourselves have been through a thorough due diligence process to ensure that our handling of customers’ and contacts’ data is already compliant with the new legislation. As our business is network intelligence, security, and regulatory compliance, and as our solutions handle the data of over 150 million subscribers throughout western and central Europe, we are acutely aware of the potential benefits and risks associated with large scale data-capture, and the significance of GDPR on our customers.
We understand that, in the process of providing us with products, services, and content, companies and organizations such as service providers gather a considerable amount of information about all of us. This has mutual benefits. It enables companies to learn and track our preferences and behavior so that they can make us attractive offers. That’s good for business. And it means that these offers are more tailored to our individual requirements. That’s great for end users. We appreciate that GDPR has been designed to ensure that all this data that’s being processed is handled, and in some cases disposed of, in a way that protects its security, integrity, and confidentiality.
How can organizations be sure that they’re ready? Five ways to ensure compliance
So, what makes an organization ready for GDPR? They should apply a combination of:
- Administration control: Creating, defining, and implementing the Data Protection Officer role within the organization, or as an outsourced function, to ensure that data access restrictions are correctly implemented and to establish a comprehensive user activity log
- Personal data security: Implementing encryption of personal identifiers and encrypted data collection and transfer
- Individual rights assurance: Establishing interfaces for obtaining and deleting subjects’ histories
- Professional services: Setting up systems for compliance and establishing an auditor implementation log
Combined, these might seem daunting, but to get under way, here’s our checklist of the key things you need to do to be ready for GDPR:
- Prepare your team: Appoint your Data Protection Officer, either internally or outsourced, and any technical team required to support them
- Map your data: Identify data flows and systems handling personal data
- Analyze risks: Classify data and processing systems that pose a breach risk
- Identify potential breach activity: Examine data access and administrative activity
- Set policies and controls: Establish initial parameters for management of your systems and the data you hold therein, and begin implementation. As you progress, you can calibrate your policies and controls as necessary.
GDPR is coming. Be ready.