At a time when data thefts and breaches have become commonplace and are often publicly declared years after they occur, it comes as a relief that some power has been restored to the consumer when it comes to over-sensitive personal information.
GDPR, the European General Data Protection Regulation that will be officially enforced starting 25th May 2018 gives European citizens control over the use of their data and the ability to revoke access as desired. However, it can be a completely different story for the companies that are accessing or storing such data. This article looks at the challenges this journey to compliance entails and how industry experts advise these can be addressed.
In many ways, GDPR is intended to drive organisations to do what they should already be doing and that is to protect the personal information of their customers and employees. Those who have not yet started down that route may be looking at significant investment in a relatively brief period of time, in order to avoid potentially massive penalties leading up to 4% of annual global turnover or €20 Million (whichever is greater).
“The amount of investment a company can potentially be looking at is highly dependent on where an organisation is in its data protection control deployment and the size of the organisation. For organisations under 250 people, investment may be insignificant but for larger organisations that have not implemented an effective data protection function the cost can be substantial,” adds Brian Chappell, Senior Director, Enterprise & Solution Architecture, BeyondTrust.
Some of the largest challenges to organisations are in understanding just what needs to be done and in realizing that GDPR does apply to them.
According to the Vice-President of Global Marketing at Seclore, Lynne Courts, “A very common-sense approach is to simply utilize data-centric security which is typically in the form of a Rights Management solution. By adding Rights Management, organizations can easily protect and control the use of sensitive files, including EU citizen data, wherever it travels.”
Though GDPR will harmonise data protection laws across EU, since regional privacy and breach notification regulations are in general less strict and detailed than GDPR, the region’s organisations will certainly face some challenges.
“To help prepare for GDPR compliance, organisations in the region need to adopt security controls, such as encryption and access restriction, along with on-going monitoring of data access. It is also essential to conduct a privacy impact assessment identifying and assessing privacy risks,” says Mazen Dohaji, Regional Director – META, LogRhythm.
Another major challenge for the regional market would be segregating GDPR related personal data from rest of the confidential data in the network. Reforming security strategies, adopting exclusive security measures and investing in audit and assessment technologies just for the segregated personal data will come with a heavy price tag and have huge operational impact on regional organizations.
“It is very important to first determine where personal data is stored and then align everyone in the company (including IT, marketing, customer support, and data teams) with the new policies. In addition to this, ensuring that proper data governance, security and monitoring are in place in case of an audit along with the right processes to accommodate requests from data subjects will also take substantial time and effort,” adds Scott Manson, Cybersecurity Lead – MEA, Cisco.
GDPR compliance promises to be a major operational and technological exercise for all organisations within its scope. Given the breadth of GDPR, no single solution provides automatic compliance with all aspects of the regulation.
BeyondTrust offers solutions that provide the capability to have true control over who has access to data, when the data is accessible, where the data is accessed and visibility into how that data is accessed. “These kinds of controls take you a long way along the path to data privacy and provide foundational elements on which you can build the more complex aspects of data privacy and compliances,” explains Chappell.
With its GDPR Compliance Module, LogRhythm offers organisations the ability to protect their personal data, ultimately avoiding fines, a damaged reputation, and loss of customer confidence through 16 technology-focused GDPR Articles therefore making it easier for organisations to meet and exceed regulations.
According to the Director of Product Management at ManageEngine, Manikandan T, companies should look at investing in solutions like ManageEngine’s security information and event management (SIEM) solution – Log360 that has built-in auditing capabilities to detect and report data breaches.
“Organizations must check their consent documents and personal data collection methods to ensure how compliant they are with the GDPR requirements. They must also review security policies to ensure whether they’re safeguarding personal data at rest, transit or in process,” he adds.
Organisations need to either employ or engage resources that can help understand what needs to be done and guide them through that work. “GDPR readiness can, in broad terms, be assessed internally but it is advisable for larger organisations to engage a GDPR consultant who can ensure that the organisation is properly and fully compliant,” says Chappell.
GDPR compliance will always be a combination of technology, people and process and cannot be achieved through a single technology solution.
Being able to provide a secure environment within which personal data can be stored is an important step towards GDPR compliance. Creating a data protection strategy can be a daunting process, especially if it hasn’t previously been a focus area for organizations. “The best way to prepare is to implement a solid data protection strategy that guards against loss of data in the first place,” explains Harish Chib, Vice President – MEA, Sophos.
Chappell further emphasizes that regional organizations should not dismiss regulatory compliances simply because they don’t apply in their region. “They provide excellent frameworks for applying best practices to your organisation so that you are ready for when they do apply or when local governments implement their own regulations in these areas.”
Data protection regulations are evolving all the time, and new country and regional regulations will continue to appear. Given the threatening security landscape, one can be certain that local legislation will not be far behind and accordingly organisations should not assume that they don’t need to act now just because they have no local regulation/laws to review immediately.