The GDPR is a heavyweight piece of legislation that will require organisations across the board to put a stricter focus on the way they handle data.
The security landscape is exceptionally sensitive at the moment as stories of high profile data breaches continue to populate column inches.
In light of this, the introduction of the GDPR should act as a wake-up call for organisations to take full control of their data and revaluate security systems that are no longer suitable.
Organisations also need to assess their current data protection strategies and address any areas within the business whereby data protection may be fallible.
Introduced with the purpose to better protect EU citizens’ data and to standardise legislation throughout Europe, the GDPR brings an array of new requirements for both controllers and processors of personally identifiable information (PII).
There are some major headline items that organisations who collect or handle EU citizen records need to be aware of.
First, intentional or negligent violators may be liable of fines of €20 million or 4% of annual turnover, whichever is greater.
Second, organisations must notify a breach to their supervisory authority within 72 hours of occurrence.
These increased sanctions make it critical that key stakeholders within the business fully understand the final legislative text.
Businesses need to start implementing adjustments as soon as possible and defence strategies must be thought of a matter of ‘when’ rather than ‘if’, irrespective of company size. To this end, how should organisations be approaching their security processes to ensure compliance?
The first step for any organisation who wants to plan and execute an effective defence strategy is to establish whether they are regarded as a data controller or a data processor. They must review the associated obligations, such as issuing notices and obtaining consent.
PII is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymising anonymous data can be considered PII.
Organisations need to regularly review existing and new processes around PII. By doing so, they can determine where this data resides. Moreover, they can learn whether it is at-rest, in-motion and/or in-use.
Adopting this approach will also enable organisations to have a record of all processing activities and will help them to understand how this data is protected.
Once PII has been identified it’s vital that this data is then secured.
Common control standards include access control and encryption, although managing encrypted data across multiple business processes comes with intrinsic difficulties.
Data sovereignty and the lifecycle of information are key, alongside data flows to third parties.
Additionally, monitoring for data leakage from negligent or malicious employees and external data theft is a salient component.
By way of example, password sharing puts any enterprise at risk of data loss as the password security system is a vulnerable protocol.
In order to demonstrate compliance with the upcoming GDPR, alternative solutions need to be adopted.
The best advice is to implement a solution that does not have a user identity store at all, which ensures no passwords and usernames are stored, transferred or shared with any third party.
If data loss occurs within an organisation, it’s critical that the breach is detected to ascertain if any PII records were lost or stolen.
If so, notifications must be sent to the relevant authorities within 72 hours of the discovery and a full investigation has to be initiated. Therefore, the speed at which at breach is identified is critical.
Gone are the days of EU organisations being able to sweep security breaches under the carpet, with incident response rising to the forefront as a crucial element when it comes to protecting the data of EU citizens.
In addition to the mandatory data breach notification requirement, organisations must also make sure they have implemented and tested an effective incident response plan. With an effective plan in place, the better chance organisations have of reducing the risk and impact of data breaches.
The final step for businesses that fall victim to a data breach is to continue ongoing communication with the relevant authorities. This ensures that any losses are managed and that those who have been directly affected are regularly informed.
Now is the time for organisations to put a stricter focus on their approach to data protection.
Although implementing the required changes may disrupt the way many organisations operate, it will encourage organisations to manage risk effectively, understand security dangers and protect their brand. This will ultimately lead to increased competitive advantage.
Sourced by Dave Worrall, CTO at Secure Cloudlink