Two years after the regulation was first announced, the progress is visible but it’s slow. As often happens with regulation, it’s going to take a whipping boy to understand the gravity of the situation for most organisations. One high-profile case of a company handing money over for non-compliance under the General Data Protection Regulation (GDPR) will be the required wake-up call the rest of the industry needs to get their act together.
By definition it is more open to interpretation. Although that makes the regulation more difficult for companies to follow, it does mean it’s more strategic in approach, covering a process rather than a moment and encouraging businesses to think of security in a more holistic way.
A brief history of GDPR
Here are some of the main elements of the regulation as it now stands after the “strong compromise” reached between the European Parliament and Council.
- Fines of up to 4% annual turnover for breaking the rules
- Data Protection Officers (DPOs) must be appointed if organisations “process sensitive data on a large scale or collect information on many consumers”
- Right to be forgotten – if no legitimate grounds for retaining it, info on an individual must be deleted if requested
- Right to data portability – easier transfer of data between service providers
- Mandatory breach notifications – to relevant supervisory authority within 72 hours, in the event of a “serious” breach
- One stop shop – single regulator for multi-nationals in the country where they have their HQ
- Consent – businesses must get users’ explicit consent to use their data
Here are just a few steps you should be thinking about now, in order to prepare for May 2018:
- Conduct a data audit to find out what data you hold and how you are using it
- Classify data according to sensitivity and your organisation’s risk appetite
- DLP technologies can help prevent accidental and deliberate data leaks
- Staff awareness and user education training programs to focus on data protection
- Restrict number of privileged accounts and roll-out strong authentication (eg 2FA) for those accounts
- Regular pen testing to check the resilience of systems to attack
- Develop an incident response plan to ensure you can report within 72 hours. Involve key stakeholders including legal, HR, PR teams etc
- Advanced server-side technologies like Deep Security can help lock down risk across physical, virtual and cloud environments from a single console
Navigating complex regulation can be a challenge for many companies, but it is not an excuse to do nothing. Overconfidence in one’s own security systems, lack of understanding of the various threats and the fact that the GDPR won’t be in place until 2018 means many companies feel they can put compliance with data regulation on the back burner.
And don’t forget: compliance might be an obligation; security should be an aspiration.