- Security TWENTY
- Women in Security
The terms have been agreed, the laws have been passed and the date has been set for the implementation of the EU General Data Protection Reform (GDPR), writes Dr Guy Bunker, pictured, SVP at IT and cloud email security product company Clearswift.
As of spring 2018, both public and private sector organisations across the world (not just those within the EU) will have to adhere to a strict code of conduct to ensure that their data is protected to new, high-level EU standards, or face severe punishment if not. While the laws are strict, businesses have two years to get ready and implement the key changes needed to meet criteria. However, firms need to start preparing now to guarantee everything is in place when the regulations come into full effect; this level of change takes time, understanding, planning and resource.
To adhere to new standards, organisations have to understand what needs to be applied or changed within systems, however, most seem to be unaware of what the regulations require, let alone how prepared (or in some cases unprepared) their company is. This isn’t the first set of industry standards that have come into play, organisations have always had to meet certain requirements when it comes to data protection, but the reach of the new legislation goes much further than anything seen before and carrying with it large increases in non-compliance fines. This is why businesses need to begin adapting as soon as possible, and why many people’s understanding of the requirements may fall short. Ignorance is not bliss, and no defence in the eyes of the law. The added pressure of large-scale financial punishment that businesses will be subjected to will focus the minds of Boards and management teams. Should the rules be broken organisations stand to lose up to four per cent of global revenue or €20 million whichever the greater. This in effect removes the cap that governments have been able to hand out, using the context of a large international corporation, making millions or even billions each year the potential ramifications soon become obvious and potentially fatal for some organisations. So … how do you get ready? The first steps:
Understanding the regulations
There has been a lot written on GDPR, and over the next two years there will be a lot more. In essence, if you do business in or with organisations in the EU then GDPR will apply. It’s all about protecting EU citizen information and responding to various requests citizens might make to protect their privacy. If you have a breach then there are notification requirements (and a potentially sizeable fine). The scope extends beyond the organisation into the supply chain where you might have shared information with other 3rd party organisations.
Look beyond the head-line grabbing fines and at some of the process issues you may have, such as complying to ‘the right to be forgotten’ requirements, which will cause most organisations headaches.
Understanding business needs
The first task will be to properly understand and document the critical information which falls into the categories covered by GDPR. There is need to find out where it is held, how it moves across and outside the organisation and who has access. Without this basic knowledge, putting protection in place will be an expensive exercise which may not cover all the requirements. This activity can start before the appointment of a DPO and many would say is part of good governance – however business and business process moves fast and you may be surprised as to how information is used and shared by your organisation today as compared to 12 to 18 months ago.
There is a need to understand the potential new roles that will be needed for the business and making sure these are filled in the best way possible. For example, the regulations require companies such as all public authorities, and where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”, to hire a Data Protection Officer (DPO). Specifically outside of this, there are other options, such as needing to share a DPO. The introduction of a new role, specifically for data protection, is something many businesses probably haven’t considered before, and now that it is mandatory, will be looking at what steps are necessary to find the right type of person for the role. This shouldn’t be a rushed process; organisations should take the time to understand what is needed within the firm and the full extent of what the officer will need to do before beginning the hiring process. The role can be hired from within, which would make some things simpler as they will better understand the business as it currently stands. This person will be a critical part of the business and its ability to operate within the law; they need to understand the legislation and the business’s needs.
The next challenge to be addressed is the cost implications of upgrading systems. Many companies will be using security systems and data protection software that is out of date and do not sufficiently protect them to the extent that the GDPR stipulates. Threats are constantly evolving and so too are data protection tools. Software purchased even a few years ago may not be up to scratch as new backdoors and loopholes in security are found each day.
If a company needs new security systems, it is important to find a provider that can meet regulatory standards while also offering a system that is within budget. There is no point spending vast amounts of money on software that has a short shelf life and there are cost-effective providers out there that will provide intelligent consultancy as well as products to ensure a company can meet GDPR requirements without facing heavy overhaul costs, don’t settle for anything less. Any project which ends up requiring capital expenditure needs to be justified, budget found and then implemented. This is where the two years for compliance is really a very short time frame. Define the information, look at the protection in place and then prioritise based on risk for investments in new solutions to mitigate the risk. Finally, start the program, prevarication will lead to running out of time.
Training and education
Finally, organisations need to ensure staff understand how GDPR will affect them and are aware of what they need to do to keep themselves and the organisation secure. Employees can really help to understand what the ‘real’ processes are and how they can be improved to protect the information.
Insider threats remain one of the biggest challenges business face when it comes to protecting data, research from Clearswift found that 40% of firms expect a data breach in the next 12 months as a result of employee behaviour. With the threat of large fines looming, it is critical that everyone within the company knows how to keep data protected in the right way. This is where training and constantly keeping staff informed will prove highly beneficial, as well as a clear set of company policies and procedures.
The bottom line
Once 2018 is here and the law comes into effect, no amount of excuses will protect organisations if the rules are broken. Pre-planning and early implementation will serve you well when the regulations come into effect. However, by understanding what your organisation needs, implementing cost effective secure solutions and making sure staff understand what is expected of them are critical in meeting the demands of the new laws. Make sure you are ready to meet regulatory standards and you will continue to operate efficiently and securely in the new data-protected landscape. Forewarned is forearmed.