The General Data Protection Regulation is changing the way organisations – both large and small - need to look after information. And there's now just over a year to get it right.
When the GDPR rules were added to British law and the UK was given two years to get it right before penalties began, some companies realised the dawn of a new era had arrived. It was time to get serious about looking after their own business information and their customers’ personal data.
Others, however, shrugged their shoulders and decided to kick the can down the road, thinking: (a) GDPR didn’t concern them, (b) the EU regulation could be repealed before it became actively enforced, or at least soon afterwards, or (c) they’d sort it out later.
Unfortunately, for these people, the message is now a tough one.
If you do business in the UK, or the wider EU, and you keep personal data (anything from IP addresses to bank details), it does affect you.
The British government hasn’t repealed it and isn’t likely to any day soon.
Time is running out; the deadline to have your beefed-up data protection policies and practices in place is just over a year away. If you don’t, you could be running the risk of the enormous penalties and perhaps the ignominy of being one of the first to fall foul of the new rules; which is why it’s important to act now.
Whilst GDPR has been introduced to better protect EU citizens’ data and to standardise legislation throughout Europe – and its implementation may disrupt the way many organisations operate – it should be considered good for business. It will help you manage risk effectively, understand security dangers and protect your brand.
Companies should solve data security issues by approaching them from a business point of view. The introduction of GDPR has provided organisations with an opportunity (if not a wake-up call) to take full control of their data and re-evaluate security systems that are no longer suitable.
20 million reasons to get it right
Organisations who collect or handle EU citizen records should be aware of a couple of headline items. Firstly, people who intentionally or negligently break the rules may be liable for fines of up to €20m or 4 per cent of annual turnover, whichever is greater. Secondly, organisations must notify a breach to their supervisory authority within 72 hours of it happening. It is critical – because of these increased sanctions – that key stakeholders within the business fully understand the final legislative text.
GDPR compliance: the five steps
To develop an effective defence strategy the first step is to be clear if your organisation is a data controller or a data processor when it comes to Personal Identifying Information (PII). PII is any data that can potentially identify someone. Organisations should regularly review existing and new processes around PII. They can determine where this data resides, and importantly, whether it is at-rest, in-motion and/or in-use. Knowing this will help them to understand how this data is/should be protected.
Having identified data as PII it is vital that it is secured. Common control standards include encryption and access control. But there is still much more that can be done. Monitoring of data leakage, from negligent or malicious employees, and external data theft are all important considerations. Password sharing puts organisations at risk of data loss because people use passwords that are all too easy to crack.
To demonstrate compliance with GDPR, alternative solutions will need to be adopted. Technology which reduces the chance of breaches happening through email can significantly reduce the risk. Programmes which routinely control who sees what information and what they can do with it is another layer of mitigation. Tools which educate employees and stop them making data vulnerable can also limit exposure.
When data loss occurs, it’s criticalthat the breach is detected quickly so you can know if any PII records were lost or stolen. If they were, speed of discovery is paramount. Notifications must be sent to the relevant authorities within 72 hours of the discovery and a full investigation needs to be started.
Organisations need to design protection strategies for the differing levels of sensitivity. They need tools that will not only protect the organisation’s ‘crown jewels’, but also minimise the chance of a data leak.
It is widely acknowledged that it takes an average of 247 days for organisations to discover that they have indeed been breached, and the UK average is believed to be more like 400 days, according to recent government research. This is mainly because the industry focus has traditionally been on creating perimeter defences such as anti-virus and sand-box technologies. Unfortunately, these will only help to defend against known threats.
GDPR means that security breaches can no longer be swept under the carpet. Incident response is a crucial element when it comes to protecting the data. On top of the mandatory data breach notification requirement, organisations must also make sure they’ve implemented and tested an effective incident response plan. With a plan in place, organisations have a better chance of reducing the risk and impact of data breaches.
Next generation tools that use ‘deep inspection’ techniques to detect all breaches in real-time, enable quicker response and reduce the impact. And digital forensics are an important part of finding out what has happened and who is responsible, and provide intelligence to improve future protection.
The final step for businesses that fall victim to a data breach is to continue ongoing communication with the authorities and the customers affected. This makes sure any losses are managed and those who have been directly affected are regularly kept informed. During the recovery process, organisations will learn the lessons of why things went wrong, and use this to improve their future arrangements.
Still unclear about GDPR and how it affects you?
Anyone who has questions about GDPR, or who’s unclear about their readiness for the new rules, can arrange a special assessment with Avatu or signup for an Avatu GDPR webinar or briefing Phone 01296 621121 email: firstname.lastname@example.org