Once the General Data Protection Regulation (GDPR) goes into effect on 25 May 2018, all EU countries will require to have more consistent data protection regulations in effect. Given the regulations will apply to any company that processes personal data for residents in the EU, regardless of company’s location, it’s critical for companies to figure out how to achieve and maintain compliance as the regulation becomes enforced.
Since its introduction, there has been a great deal of discussion in the business community concerning the potentially negative effects of the new regulations. Examples of such are the added costs of implementing new processes and the fines for noncompliance. However our opinion is that we see GDPR as a positive step towards helping improve the balance of privacy and protection between individuals and companies, as well as data-handling practices and overall security hygiene for all parties involved.
Achieving Compliance: The Challenges
Becoming compliant can be an immense undertaking, involving an extensive, coordinated effort between the various departments that are tasked with planning and executing the necessary processes and technologies.
In some cases, the first roadblock to compliance will be simply defining the requirements. For instance, in article 25, “Data Protection by Design and by Default,” the guidelines state that the “state of the art” of data processing should be taken into account when planning steps needed to achieve compliance. The term “state of the art,” however, is not defined in the regulation, therefore such ambiguity raises new questions for companies that are reading the regulations looking for answers.
Another challenge will be in the handling of personal data. Because of the ease with which companies can gather customer data today, they are collecting more of it than ever before. Often this is done at such scale, that there can be a lack of oversight when it comes to safe handling and secure storage of sensitive information. GDPR will tighten security regulations to strengthen customer rights over their data. Companies will be required to log all the personal data collected, with records of where the data was originated, why the companies have it, and where it is stored.
Assessing the current data compilation and storage situation alone will require organisations to make significantly higher IT investments. The fines for data protection violations — up to four percent of annual global turnover or 20 Million Euros — will make it too expensive not to. As a result, the task of protecting personally identifiable information (PII) will transition from an IT responsibility to a board-level priority.
To comply with the GDPR requirement of reporting breaches within 72 hours, companies will also have to get much better at understanding their data flows, while taking a more comprehensive view of the threat landscape. Organisations will need to implement structured cyber-incident response plans with the goal of replicating attacks, understanding responsibilities, and returning information promptly and accurately. While complex and difficult to carry out, the plans will need to be complete one year from now, in place before May 2018.
Companies — not just individuals — will benefit from GDPR
Whilst it took a long time to find the right balance between privacy and protection in the wake of the social media age, it is now generally accepted that the modernisation of laws is long overdue.
According to the European Commission, GDPR will give people more control over how personal data is defined, the right to know how it is used and by whom, and the right to be informed in cases of data breaches. Rather than fight these developments, companies should embrace the GDPR’s broader objective: as a means for them to establish greater data hygiene while improving the overall security posture of their IT infrastructure.
Steps Toward Better Data Hygiene
To take full advantage of the opportunity to establish better data hygiene, organisations must take a more proactive stance to protect digital data and how it’s managed. This means they need to put technology in place that helps them control and protect digital assets, and reconcile the disjointed conversations between departments to produce the shared insight necessary to update an organisation’s security posture.
To this end, the following aspects need to be considered:
As a baseline, organisations should assess whether their level of security is adequate to protect against modern threats and common techniques used by attackers to exfiltrate critical information. They should evaluate their current security posture and ask themselves, “How would we know if our data has been compromised?” “Are we able to effectively spot infected devices?”
If not already in place, a multi-layered defense-in-depth approach needs to be adopted to spot and block even the most difficult-to-detect attacks. SSL inspection as well as behavioural analysis are critical components of this approach.
Where is personal data stored, particularly in the age of hybrid infrastructures with both on-premises and cloud storage? With corporate users adopting and using faster external “shadow-IT” applications for their productivity needs, more and more personal data lies outside of company control. The problem is that these applications bypass normal security safeguards and pose a threat — to the user and to the organisation’s ability to protect itself and comply with GDPR requirements. To regain control, companies will need to embrace the needs of the end user and adopt new technologies that will simplify processes and enable greater productivity, otherwise employees will increasingly turn to shadow IT applications that lie outside the security controls of the corporate network. The first step is to get an overview of all cloud-delivered applications in use within the company and leverage concepts such as Cloud Access Security Broker (CASB) functionality to close the security gap.
Next, organisations must ensure that protected information does not flow out via cloud storage, file sharing sites, blogs, webmail, social networks, IM, and other Internet channels. While most businesses have invested in perimeter defence, this offers a declining level of security against today’s threats. Some have created controls for data within the network, and many others have deployed data loss prevention (DLP) technology within their networks to prevent unauthorized access. However, between the harmful effects of unintentional user actions, malicious activities, and simple lack of awareness, these safeguards are likely still not enough to prevent your sensitive data from leaking out onto the Internet. By implementing DLP systems that monitor Internet-bound data in motion, you can significantly reduce that risk and improve data hygiene.
Achieving a greater level of data hygiene is crucial for companies to meet the requirements of GDPR. While the legislation presents a number of challenges to companies entrusted with customer information, it also presents important opportunities. By addressing the lack of consistency in data handling across organisations, we have the chance to protect ourselves while regaining the trust of those we need the most: our customers.