GDPR: What Does it Mean for Businesses?
By Ian Kilpatrick, EVP Cyber Security for Nuvias Group
On May 25, 2018, the General Data Protection Regulation (GDPR) will come into force, and will be a game-changer in how organisations store, secure and manage personal data.
GDPR will affect the whole of the EU Zone, which currently spans 28 member countries and half a billion citizens. Its goal is to unify data protection across the European Union, but because GDPR applies to individuals within the EU or the European Economic Area (EEA), companies outside these zones will still have to meet the standards if they want to continue using data from customers in the EU.
The purpose of the new regulation is to shift control of personal data back to the owner of that data. Every organisation should be aware that with GDPR comes huge fines for data breaches – up to four percent of annual global turnover or €20 million, whichever is greater. Therefore, the consequences of any data loss could be financially devastating for any company.
The data in question could be usernames, location data, online identifiers like IP address or cookies, or passwords. The loss of personal or work-related information – whether that’s access details, passwords, or any other customer data – is endemic today; almost 1.4 billion data records were lost in 2016 alone, an increase of 86 percent compared to the year before.
After next May, organisations will have 72 hours to disclose any serious data breaches to the relevant authorities – in the UK it’s the Information Commissioner’s Office (ICO), as well as the victim of the breach. The penalty for failing to notify them of a breach will be up to €10 million, or two percent of revenues.
Analyst firm IDC predicts that the severity of fines, coupled with the substantial changes in scope, will drive enterprises to radically shake up their data protection practices, seeking the assistance of new technologies to assist with compliance.
Despite all this, a survey by information services group, Experian, reports nearly half of businesses (48 percent) admit they are not ready for GDPR, and are only in the early stages of preparing for the regulations.
If they are not doing so already, organisations need to start putting plans in place now if they’re to meet the May 2018 deadline.
So, what steps can companies take to ensure their GDPR-compliance? The ability to ensure confidentiality, integrity, availability and resilience will be crucial – as will be restoring data in a timely manner in the event of an incident. Organisations will need a process for testing and evaluating the effectiveness of their security processes, meaning they will need to demonstrate they have taken adequate steps to protect the data.
GDPR doesn’t prescribe specific data protection technologies, but rather processes that organisations should undertake. However, companies should be talking to their IT providers about core data security solutions that cover things like encryption, access and identity management, two factor authentication, application control, intrusion prevention and detection, URL filtering, APT blocking and data loss protection. Also, they shouldn’t neglect the network, by securing wireless access points, for example.
Having a demonstrable security policy in place and making sure employees are fully trained in the correct security practices will prove invaluable.
Larger organisations and public bodies will require a data processing officer; this is a senior role that operates independently of the IT department and will enjoy significant protection, along with the responsibility of reporting any data breach. They will act as a fulcrum for developing, enacting and continually testing security compliance posture.
However, GDPR compliance is everyone’s responsibility, and shouldn’t be left to one team – legal, IT, HR and other business functions must all be involved with visible support from the executive level.
Something else that GDPR will likely affect is insurance. As the regulations require every business to report any data breach, there is going to more of an emphasis on liability and who is to blame as data losses come to light.
In simple terms, businesses should document everything they have done at a technical and policy level to show due diligence. There are several framework documents created at a national level that can help. For example, the UK’s national cyber security centre has a number of 10-step programmes that offer a basic checklist of areas that should be covered.
With heavy financial and reputational risk threatening, the sooner the new regulations are adopted, the more confident a company can be that it will not be found wanting when GDPR comes into effect.