Case Studies

Steps to GDPR compliance

by Mark Rowe

A report by a cyber security product company measures organisations’ readiness to comply with the European Union’s General Data Protection Regulation (GDPR) which will take effect from May 25; and Australia’s Notifiable Data Breaches (NDB) which came into effect on February 22. The results reveal that almost all (95 percent) of IT decision makers (ITDMs) surveyed agree that there will be fewer data breaches as a direct result of stronger data protection policies.

UK ITDMs are less confident than those in the United States and Australia about their ability to provide all information on EU citizens within one month of request. US ITDMs (83 percent) say they are very confident, significantly more than their UK (18pc) and Australian (50pc) counterparts. Most, 95pc have some level of confidence in their ability to meet this request. All ITDMs report that their organisation will be training their employees on GDPR and NDB regulations, while only about half (53 percent) of companies worldwide have already completed training for GDPR.

The cyber firm advises that you know what personal data your organisation has, where it’s stored, and in what systems. Regularly schedule audits and allocate resources for this work. Any data you do not need; delete securely. There are legal requirements for maintaining certain types of data, but when data retention is not required, disposing of it helps reduce risk.

Megan Shields, Data Protection Officer, Webroot, says: “While it doesn’t come as much of a surprise that each respective country is focused on its own citizens’ data, organisations have to remember that in a global marketplace, their business impacts citizens beyond their own borders. We’re focused on offering our managed service partners solutions such as user training and endpoint protection to comply with the global regulations aimed at keeping data safe.”

Visit: Webroot.com/GDPR.

Comment

Lynn Elwood, VP cloud and services solutions at OpenText, says: “Ask yourself this simple question: Do I know where all the personal data in my company resides? The answer for the vast majority of us will be a resounding ‘no’. Yet, that’s exactly what GDPR demands of you. Even medium-sized companies can easily be looking at terabytes or petabytes of information amassed over many years. They have data hiding in legacy systems, file shares and email systems. In many cases, the people who originally created the data have now left the organisation. Given this situation, it may not be so surprising that over 60% of security professionals say that they don’t know where their sensitive data is. This is no longer acceptable for GDPR.

“GDPR requires that personal data is continually managed to ensure that you remain compliant at all times and that you can quickly respond to requests from individuals such as the right to have all their data removed. Data discovery should give you the ability to monitor, track and trace the personal data within your organisation to ensure that you have visibility of all activities taking place on that data. This will help to quickly identify the source of data breaches and enable you to comply with notification requirements should a breach occur. Whether you think that your organisation is in the position to comply fully or partially with GDPR, it’s essential that you are able to demonstrate ‘good faith’ endeavours in that direction. By conducting data discovery now, you’ll show that you’re taking GDPR seriously and have taken the first major step to compliance.”

Under GDPR requirements, organisations have just 72 hours to gather all related information and report data breaches to the relevant regulator. This is a significant undertaking, says website and database security product company Imperva in a blog.

The insurer Aon and law firm DLA Piper have launched a guide ‘The price of data security’, ahead of the GDPR. Vanessa Leemans, Chief Commercial Officer, Aon Cyber Solutions EMEA said: “GDPR will expose organisations to significantly higher risks related to how they manage and store personal data. Data breaches, and other cyber events, could see businesses face both major fines and extensive costs. It is therefore essential that organisations fully understand where their exposures lie. They should work closely with their insurance partners to ensure they have an appropriate risk transfer solution and incident response plan in place.”

In 20 out of 30 reviewed jurisdictions GDPR fines would generally not be regarded as insurable, including the UK, France, Italy and Spain, the guide suggests. But, insurance against legal costs and liabilities following a data breach is widely available across Europe.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing