Organizations should prepare now for new European Union data privacy regulation.
Security breaches are already costly; not just financially, but in terms of brand damage, customer dissatisfaction and downtime. For companies that do business with residents of the European Union, the financial fallout from a security breach is about to get much more expensive. That’s why it’s imperative for organizations to get ready for GDPR now, so they’re not playing catchup.
What is the GDPR?
With the introduction of the General Data Protection Regulation (GDPR), the European Union is enacting a set of mandatory regulations for businesses that goes into effect May 25, 2018. Organizations found in non-compliance will face hefty penalties of up to 20 million euros, or 4% of worldwide annual turnover, whichever is higher.
Simply put, GDPR was enacted to give citizens and residents more control over their personal data and puts strict data handling rules in place governing “controllers” that collect data from EU residents, and “processors" that process the data on behalf of controllers, such as cloud providers.
The GDPR is not just applicable to businesses in the EU, it applies to the data of all EU citizens, regardless of where it’s stored. That means if a citizen of the EU has data stored with a company inside the U.S., the GDPR applies.
Under the GDPR, data controllers must report a data breach to the supervising authority within 72 hours of becoming aware of the breach. From there, individuals must be notified if an adverse impact is determined, and the data processor must notify a controller without undue delay after becoming aware of a personal data breach.
Neither the processors nor controllers, however, must notify data subjects if anonymized data is breached – meaning if the controller has implemented encryption and other measures to protect data. The regulation, however, broadly defines a data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
The GDPR also gives consumers and individuals more power. Article 17 of the GDPR is the “right to erasure,” which is more commonly known as the “right to be forgotten.” Article 17 empowers individuals to request that a data controller erase all of their personal data without delay and at no cost. It means all data, such as files, records, backup and archived copies – all of it.
The GDPR lights a fire under organizations to implement stronger security measures to protect their networks and data and, in the event of a breach, report it swiftly. It also makes it a legal obligation to configure security systems to put data privacy and consumer protection first.
Prepping for GDPR
So how do companies ensure their systems and their customers’ data are protected when the GDPR takes effect? As with most security recommendations, it’s about having a battle plan in place well before hand.
Gartner recommends a good starting point for GDPR prep is to create two new roles dedicated to data protection: One who acts as a contact point for the data protection authority and data subjects, and the other a data protection officer to ensure processing operations maintain compliance.
From there, companies should be proactive and transparently demonstrate accountability for all processing activities, examine how data flows across borders within the EU and outside of it, and ensure they have systems in place notify individuals and authorities should a breach occur and to comply with the right to be forgotten should an individual ask for their data to be erased.
It’s also imperative that companies have systems in place to prevent breaches in the first place. Since notification is not required for breaches involving anonymized data, companies should examine their encryption solutions to ensure private data is and remains private.
A dedicated decryption solution can ensure encrypted data is decrypted for visibility and inspection, and companies can opt to bypass certain types of traffic that should remain encrypted and anonymized such as personal data. That gives organizations the benefit of decryption services, while still complying with GDPR.
Companies can also institute stronger identity hygiene practices to ensure attackers aren’t attempting to crack into networks to steal data. Simple steps like multi-factor authentication, encouraging the use of passphrases over passwords, and swiftly depreciating expired employee accounts can ensure access is only granted to authorized personnel.
Analytics solutions can also help by enabling companies to quickly and accurately detect security anomalies. Having an understanding of how applications are performing in real-time and their security posture could alert an organization in the event of a breach or an attempted data theft.
Andrew Hickey serves as A10’s editorial director. He has two decades of journalism and content strategy experience, covering everything from crime to cloud computing and all things in between.