In May 2018 the General Data Protection Regulation (GDPR) legislation will come into effect for 28 European countries, as well as for any international company that touches personal data from Europe.
This set of laws, designed to protect individuals' data in a world increasingly built atop that data, will affect the global digital ecosystem. Waiting to consider your compliance is asking for trouble to the tune of 20 million Euros or 4% of your company's annual worldwide turnover—whichever is greater.
But how do you get started?
Understand What GDPR Is Trying To Do
GDPR has one primary goal: Give individuals more control over what happens to and with their data.
Under GDPR, companies must work to be more responsible with and protective of the data they collect. For example, individuals will have greater rights to access or erase their own records (the "right to be forgotten"), and organisations are bound by law to be much more communicative regarding security incidents.
Once you get on board with the principles behind GDPR, you can begin to implement certain changes that will help you move towards compliance.
Modernise IT with Compliance in Mind
Many organisations fear that shadow IT like the cloud will cripple their GDPR compliance. Luckily—considering the average European enterprise uses 608 cloud applications—it's not a question of if but how you can modernise without risking millions of Euros in fines.
Follow these guidelines to scale your environment in line with GDPR:
- Know the physical location where cloud applications are hosting your data.
- Check cloud apps' security measures to make sure they align with your own, and confirm that they legally agree to process data in accordance with the privacy requirements laid out by GDPR.
- Collect only the data you need to perform the app's function.
- Make sure cloud apps clearly state that the customer owns all data collected and the data will not be shared with third parties, and ensure you're able to delete that data when you stop using the app.
Invest in "State-of-the-Art" Security
While GDPR is fundamentally about data management and processing, one of the few areas with specific requirements is the matter of data security and transparency. There are several key tenets organisations can latch onto right away. (Review the full text of the GDPR legislation here.)
On personal data protection: "Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk." (Article 32, emphasis ours)
"Personal data should be processed in a manner that ensures appropriate security and confidentiality of the data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing." (Recital, paragraph 39)
On transparency: "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." (Article 33, emphasis ours)
"When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay." (Article 34)
Hefty administrative fines for noncompliance make data security Board Issue #1 for everyone affected by GDPR, but organisations are caught between a rock and a hard place.
The reality is that no security platform will be enough to eradicate the risk of a breach, given rapidly evolving malware and broadening attack surfaces. Compliance, therefore, breaks down into three distinct pieces:
- Prevent breaches. Organisations must reduce their attack surface and improve their ability to both prevent known threats and detect unknown threats.
- Decrease dwell time. When a breach does happen, organisations need to spot it as quickly as possible so the fewest consumers are affected. Average dwell time? 99 days.
- Speed up investigation. The faster you find an attack source and mitigate the damage, the smaller a hit your company's reputation will take.
For all three stages of compliance you need "state-of-the-art" security, comprehensive visibility, and automation that speeds up the investigation process.