Heightened security threats lead to heightened regulation, however, organizations are not always quick to comply. Though the world was forewarned two years ago that the European Union’s General Data Protection Regulation (GDPR) was on its way, a recent IDC survey of small and mid-sized European companies found that 22 percent of respondents didn’t even know what GDPR was. Furthermore, only 20 percent of respondents that did know what it was had started to prepare for it.
This is highly problematic, as GDPR takes effect on May 25. So is this statistic: the Compliance, Governance and Oversight Council reported that only six percent of 132 compliance officer respondents worldwide feel their organizations are currently GDPR compliant. Lack of compliance brings significant risk, but organizations first need to know what GDPR requires to comply. Below is an overview of the regulation, along with what companies can do to make sure they are prepared for it.
What GDPR requires
The EU aims to make data security, retention and governance legislation uniform across EU member states to protect its population’s data. The regulation’s official site calls it 'the most important change in data privacy regulation in 20 years.' All companies with more than 250 employees that process the personal data of EU citizens, regardless of the company’s location, must comply.
GDPR mandates that storing and transmitting data such as personal, banking, health and credit card information have greater oversight. Most organizations will need to appoint a data privacy officer who reports to a regional authority, as well. EU residents have new rights, including data portability, the right to be forgotten (erasure) and to be notified within 72 hours of the discovery of a data breach.
There are hefty fines for those who do not comply. Organizations can be fined up to four percent of annual global revenue or €20 million – whichever is greater. It’s important to understand that these rules apply to both controllers and processors, which means clouds will not be exempt.
Data breaches are already expensive, and fines like this would make them even more so. A hacktivist or other malicious actor could, in addition to breaching your network and stealing data, with all those associated financial and reputation costs, leave you susceptible to additional fines imposed by the new regulation.
All organizations for whom GDPR applies should follow these general guidelines to prepare:
- Establish a security and risk management framework and adopt all controls or provide a risk-based rationale that takes privacy as a first principle into account for exclusion;
- Draft a mission statement and goals that treat citizen privacy as a first principle;
- Appoint a Data Protection Officer (DPO) to lead the task force to address GDPR compliance challenges;
- Determine roles and responsibilities under GDPR;
- Establish and maintain an internal framework for accountability;
- Update PII and privileged information definitions;
- Review personal data processing operations and evaluate cross-border data flow compliance;
- Seek legal advice in the pursuit of risk-based, timely compliance decisions; and
- Institute a comprehensive central business registration and documentation of data processing activities.
In addition, organizations should complete these four tasks specifically related to security.
1. Establish a comprehensive cybersecurity infrastructure.
- Look at cloud, app and database behavior.
- Consider using Network Behavior Anomaly Detection (NBAD) – the real-time monitoring of a network for any unusual activity, trends or events.
- Consider using Endpoint Detection and Response (EDR), an emerging technology. It is a category of tools and solutions that focus on detecting, investigating and mitigating suspicious activities and issues on hosts and endpoints.
- Reduce the attack surface with patching and configuration control.
- Segment networks and reduce single points of failure.
- Reduce access scope and rights.
2. Make sure your IT security hygiene, communications, processes and risk management are solid.
- Rethink processes and the relevance of the data you hold. Much of the data you are holding onto can be purged. It takes up valuable space at best and may pose an unnecessary GDPR risk at worst.
- Review all existing contracts with data processors (cloud providers, SaaS vendors or payroll service providers) and customers. New contracts need to clearly define rights and responsibilities. They also need to define consistent processes for how data is managed and protected, and how breaches are reported.
- Because there is a 72-hour reporting window now for breaches, business leaders, IT and security teams need to clearly map out how data is stored and processed and agree on a compliant process for reporting.
- Conduct crisis and contingency planning and testing. Preparedness is key, so build in resilience and be prepared for the worst. Then test the system and look for weaknesses.
3. Teach and enforce employee cybersecurity and privacy best practices.
- Don’t leave your devices unattended.
- Keep sensitive data secure and off your laptops and mobile devices.
- Make sure your software is up to date.
- Look out for suspicious emails and calls to obtain your information (phishing).
- Use caution when clicking links online and in emails.
- Choose strong passwords and password management practices and solutions.
- Make sure your antivirus software is up to date.
- Always back up your data in case of a ransomware attack.
4. Put in place the most basic security mechanisms and protocols—such as firewalls and antivirus software—for all individuals with access to the network at the user level.
Worth the trouble
GDPR doesn’t care how you feel about it or whether you are ready. It goes into effect on May 25, and lack of compliance could cost you plenty. Use the guidelines above to prepare your organization by putting the needed people, technology and processes in place. Yes, regulations like this create plenty of additional work, but the end result is are safer and more confident customers and a safer network. Data privacy and security are often difficult to achieve, but there’s really no legitimate alternative.