With a little more than six months until it goes into effect, the General Data Protection Regulation (GDPR) is on the minds of organisations across the world.
According to PwC’s Preparedness Pulse Survey, 92% of companies consider GDPR compliance a top priority on their data-privacy and security agenda, with over half saying it’s “the” top priority.
But prioritising and acting are two very different things, and – given how massive the task of complying is – many organisations are likely behind schedule. For those who are not far enough along or who have not started to comply yet, there is some significant motivation.
The fines for failing to meet the regulation are up to 20 million euros, or four percent of their annual sales, whichever is more. But there is more to see here beyond just being compliant. GDPR offers companies an unprecedented chance to clean out their “data closets,” so to speak. And in that sense, it’s not so much of a burden but an opportunity for organisations to restructure it the way they want it to be.
For many large institutions built from aggressive acquisition strategies, this data is stored in legacy architecture that is difficult to access, hard to manage, and almost impossible to sort through – so it’s no wonder why organisations have put it off. However, GDPR offers an opportunity to comb through every place they store data, reorganise it and update their existing architecture.
This not only a chance for institutions to update and streamline all IT services, but a critical opportunity to guard themselves against the rampant data breaches – in turn making the institution more secure.
It seems that every day there is a new data breach – 50% of data breaches in the UK this year were due to hackers, costing USD $138 per record, and the chance of a recurring data breach within the next two years is 28%. This should be concerning as there’s a severe impact on the organisation, from the front-line to the c-suite, if a data breach occurs.
How can organisations combat these threats, while also working towards GDPR compliance? By leveraging next-generation technologies. Enter: biometrics. Replace cumbersome, faulty security measures like PINs, tokens and passwords, as these traditional security measures clearly aren’t working.
According to Verizon’s 2017 Data Breach Investigation Report, organisations are not doing enough “if a username and password is the only barrier to escalating privilege or compromising the next device.”
Building a stronger access control environment and enforcing that environment will require biometric authentication to ensure “you are who you say you are.” Accessing personal or financial information using something you are (biometrics) is always going to be better and more secure than using something you know (password or PIN).
Many companies are now beginning to implement multi-factor biometric authentication, or the combination of multiple identifiers such as what you have (e.g. a phone) what you know (e.g. the passcode), and who you are (your biometrics). This added layer can help to improve security and strengthen legacy systems.
Biometrics also help in the auditing and forensics process by creating traceability. The ability to reconstruct an event will become especially important under the GDPR. By utilising a biometric authentication platform, financial institutions will be able to recreate every step in a process from logging in, to data access and control, to timestamps and location stamps, right through exit, control and even distribution. Having a biometric identity stamp on each of these records will mean financial institutions will have legal non-repudiation that they can stand on in court.
There are other requirements for GDPR compliance that biometrics can assist with as well. The IEEE 2410 Biometric Open Protocol Standard includes provisions for biometric template storage that can help companies achieve the “right to be forgotten.” The IEEE standard recommends using a distributed data model to break up and store biometrics between the user device and a back-end server. This way, companies can secure the biometric data and provide end users with the ability to control and delete their data as required by the GDPR.
Now is the time to get educated and prepare for compliance. Use this mandate as an opportunity to strengthen and protect the organisation’s data assets – and don’t delay. Financial institutions can utilise the GDPR as an opportunity to evaluate their legacy architecture and create a more secure environment. And while 95% of executives in the UK are aware of GDPR, nearly 67% are unaware of the extent of GDPR fines and 20% claimed a fine “wouldn’t bother them.”
A lagging organisation will be hit with the full fine, but don’t just aim to avoid the fines – now is the perfect opportunity to actually improve the organisation. Clean out “the closet” and use this as an opportunity to embrace advanced security solutions for their data, employees and customers.
Sourced by James Stickland, CEO, Veridium