- Security TWENTY
- Women in Security
The EU General Data Protection Regulation (GDPR) is in force. This legislation was ratified earlier this year and as of May 25, businesses have two years to become compliant or risk fines.
Eduard Meelhuysen, VP EMEA at Netskope, says two years sounds like plenty of time; not if you ask IT teams. “Recent research from YouGov and Netskope found that almost 80 per cent of IT professionals in medium and large organisations are not confident of ensuring GDPR compliance in time for the May 2018 deadline.
“If they are to comply, IT teams will need to make the most of the two-year grace period which means that both cloud-consuming organisations and cloud vendors will need to take active measures now. As a starting point, organisations should take a hard look at how their data are shared and stored, focusing in particular on any cloud apps in use across the organisation. The GDPR makes specific provisions for unstructured data of the type created by many cloud apps, data which are typically harder to manage and control. That means organisations need to manage employees’ interactions with the cloud carefully as a key tenet of GDPR compliance.
“As cloud app use continues to increase within businesses, data will become harder to track and control. But with the GDPR instigating a maximum possible fine of 20 million euro or 4 per cent of global turnover (whichever is higher) in certain cases, there is now more incentive than ever for companies to focus on data protection. Getting a handle on cloud app use will be a crucial part of ensuring compliance for any organisation, and IT teams will need to start work now to meet the May 2018 compliance deadline.”
Dave Allen, SVP & General Counsel, Dyn, says businesses will need to take a hard look at their current methods of sharing and storing data. “While some internet companies have begun to address new challenges at the fixed locations where data is stored – this alone will not necessarily be enough to ensure compliance.
“Those companies focusing solely on data residency may well fall victim to a false sense of confidence that sufficient steps have been taken to address these myriad regulations outlined in the GDPR. As the GDPR will hold businesses accountable for their data practices, businesses must recognise that the actual paths data travels are also a key factor to consider. In many ways, the constraints which come with the cross-border routing of data across several sovereign states mean these paths pose a more complex problem to solve.
“Although no silver bullet exists for compliance with the emerging regulations which govern data flows, businesses which rely on the global Internet to serve their customers should be seriously considering visibility into routing paths along both the open Internet and private networks. As we enter an era of emerging geographic restrictions, businesses with access to traffic patterns in real time, in addition to geo-location information, will find themselves in a much stronger position to tackle the challenges posed by the GDPR.”
David Mount, director, security solutions consulting EMEA, Micro Focus, says the regulation is set to have an enormous impact on organisations operating in the EU. “Companies now have two years to comply with the legislation so it will be interesting to see where they go from here. What’s clear is that they need to take action now to ensure they understand the data they hold and how they use it. Businesses should limit access to data to only those who need it and ensure good data hygiene by keeping authentication practices up to date. Historic data could pose an unnecessary risk, so it may also be worth deleting this to lower the potential impact of any security breaches.
“The next two years will see some technical and judicial challenges for companies in the EU, so it’s important that they start to educate themselves now about the steps they should take to ensure compliance. For the consumer, now accustomed to hearing about breaches in the news on a daily basis, the impact of the measure remains to be seen. We’ll start to see the consumer perception of data protection and privacy develop over the next two years, and it will soon become clear whether or not the GDPR has the desired effect in Europe.”
Jon Geater, CTO, Thales e-Security, says: “The GDPR will place an even greater onus on organisations to safeguard the personal data they hold from attacks. Companies will now have an even greater obligation to protect the personal information entrusted to them, no matter how it’s processed. The new rules also make clear another important factor that we should already have known: that you can outsource your risk, but you can’t outsource your responsibility. If organisations use a third party provider to store and manage data – such as a cloud provider, for example – they are still responsible its protection and must demonstrate exactly how the data is protected in the remote system. Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.
“In addition, organisations will now have to provide citizens with online access to any their own personal data they store. While the Data Protection Act traditionally allowed anyone to request access to this data, with GDPR in effect organisations must make this available for download ‘where possible’ and ‘without undue delay’. This is a very significant change and securing this access will represent a significant challenge to many organisations – especially while still complying with the new tighter rules – and will require robust cybersecurity technology across the board.”
Deema Freij, global privacy officer, Intralinks, says: “Businesses operating in Europe now have two years in which to examine and fundamentally change the way they store and share data or risk contravening the new regulations. According to research we carried out with Ovum recently, two thirds of global companies will review their business strategies in Europe in light of the GDPR, and more than half of businesses (52pc) expect to be fined due to breaches of regulations. The upcoming referendum on EU membership offers an additional twist. Should the country vote for Brexit, it’s worth considering how a UK government disconnected from the EU would re-evaluate its data protection law without the GDPR or any other European directive to guide it.
“If the UK were to leave the EU, it would be some time before global and UK companies would know what to do around the issue of data transfer. Any practical guidance would be unlikely to arrive immediately and, during that time, many companies could be unknowingly operating against the law, leaving them with a number of critical legal issues, and increasing the risk of data breaches.”
And Kate Lewis, head of data strategy at GBG, says: “To date, organisations processing personal data of EU residents have had to deal with a patchwork of the 28 different national data protection laws. The GDPR, however, will bring much needed clarity to the data market. Individuals need to be clearly informed around how their data will be used, and this is especially true in today’s threat landscape. Every week we are faced with yet another news story about a high profile company experiencing a data breach in which sensitive and valuable customer information has been leaked onto the internet. Nowadays, businesses need to be using the data available to them intelligently to help protect their customers. This protection of individuals is at the heart of the EU GDPR, with a number of principles focused on the processing and maintenance of personal data stored within organisations. Of course, complying with these new regulations will not be without its challenges. Whilst for some companies it will be a change in mind-set from seeing compliance as a tick box requirement, others will need to take stock of all the customer data held within the business and decide which data to keep or get rid of. Businesses that take action now will find themselves in a much more advantageous position come 2018. Two years may seem like a long time, but it will pass us by faster than we know.”