In May 1986, a little-known Swedish band called Europe released their international breakthrough album, The Final Countdown – topping the charts in 25 countries. Thirty years later in May 2016, the European Commission released the official EU General Data Protection Regulation (GDPR) – another international breakthrough with a far greater global impact, albeit on the data privacy and protection landscape. But when legislation becomes law on May 25th 2018, will you be prepared? With just one year left, it’s the final countdown.
Assess. Protect. Revise. Repeat.
With enforcement of EU GDPR around the corner, nearly every IT vendor has something to say about it. So let’s keep it simple. Few organizations will be starting from scratch, considering that data protection laws have been in place across Europe for years and many organizations will be complying with existing standards, for example PCI DSS. So, it’s really a matter of assessing where the GDPR gaps are, filling those gaps with appropriate business practices and protective safeguards, and taking a proactive and engaged approach with regular risk assessments and ongoing employee awareness.
First off, GDPR is not just an IT problem; it requires a cross-organizational approach – working with IT, HR, legal, marketing and other business departments. Organizations should start by assessing what personally identifiable information (PII) they hold on EU residents and where that data resides. A Data Privacy Impact Assessment may be necessary as well. Other critical areas to assess include:
- Business and Information Sharing Agreements
- Consent Forms and Procedures
- Data Breach Detection and Response
Next, determine how EU resident data is produced, how it is protected, and if it is absolutely necessary to your business processes. Implement organizational policies like least-privilege access and data minimization, which are not only best practices; they are GDPR-mandated.
While GDPR stops short of enforcing encryption, the explicit reference to it in the security provisions (encryption is cited 3X) should signal to businesses that regulators will take its implementation into consideration when evaluating compliance. Not only that, encryption significantly reduces the risk of breach notification and the serious fines that could follow – up to 4% of global revenue or €20,000,000 (USD $22,371,400).
Article 32 – The Security of Processing – offers less than 300 words on requirements for security measures, making it difficult for businesses to have a clear picture of how to implement “appropriate” safeguards. But two things are clear. Organizations should implement pseudonymisation and encryption of personal data [Article 32 (1)a]. And have a process in place to regularly test, assess and evaluate security measures [Article 32 (1)d]. You’d better believe that regulators will use these two explicit criteria to determine if your security measures are appropriate to the level of risk in your organization.
Compliance is not a one-time project. It’s a continuous and sometimes repetitive effort to protect your business and the privacy of your clientele. Create a regular cycle of assessing security posture to find gaps, responding with appropriate protections, and revising or reviewing security posture in rapidly changing business environments. Cloud and IoT, for example, should prompt a re-assessment of security posture. Organizations should implement appropriate measures such as encryption, to protect data in both production environments (like app/web development and testing) as well as back up environments in the Cloud.
Are You Prepared?
Let’s remember that EU GDPR is not a hindrance to, but rather a necessity for business success moving forward. GDPR revolutionizes business operations by defining data privacy as a fundamental human right, emanating from a region many would consider the birthplace of human rights. The process of becoming compliant will ultimately leave businesses better off. GDPR consolidates regulations across Europe – beneficial for businesses operating across EU member states – establishes trust in online services, and introduces business benefits or EU-trusted and security-tested services.
Assess your GDPR readiness today with our EU GDPR Whitepaper and Quick Tips Guide.