With the changes in EU regulation that GDPR introduces, specifically relating to how the personal data of EU citizens must be handled, organisations are facing fresh challenges in how they prove compliance. GDPR brings particular burdens with the ‘Privacy by Design’ mandate that requires data privacy is part of the system design process from day one.
Failing to comply with GDPR could result in fines equal to 4% of Global revenue or €20m, whichever is greater.
Can businesses meet GDPR requirements without slowing down?
High velocity innovation is accepted as a necessity to remaining competitive in our increasingly digital industries, but with regulatory responsibilities, such as GDPR, there needs to be a guarantee that not businesses are not being exposed to reputational, legal, or financial risk.
>See also: Practical steps to deal with the GDPR
Many organisations have revealed that they’re compromising their ability to move fast with their security responsibilities. Based on a Gartner report, 81% of IT operations professionals say they believe information security policies slow them down.
Doing the DevOps yourself makes software deployment faster, and this is better at shipping the things customers want. The problem with moving quickly is that there is a potential to ship insecure system changes, or code vulnerabilities, more rapidly too.
Lots organisations running scans on production systems only – it’s already too late at this point. Others have quarterly audit cycles – what happens in between audits? Does configuration drift, are there unknown risks? How about the cost of meeting the audit requirements?
According to a recent Chef survey of IT practitioners and decision-makers, 22% of respondents test compliance inconsistently and 23% don’t test at all. When GDPR becomes enforceable in May of 2018, this lack of visibility may become very costly. Many organisations are faced with an unpleasant choice: slow down and become less responsive to customers, or risk steep GDPR penalties.
Applying continuous automation to address GDPR
Continuous automation is the foundation of a high velocity, software-focused organisation. When treating compliance this way, businesses get out of reactive mode and make applications continuously compliant by applying the DevOps principle – everything as code – to the GDPR controls supporting the privacy by design mandate. We do this at the start of the project, not as an afterthought.
By doing this, businesses can put their code based compliance controls through the normal development workflow: test them, version them, apply them at scale and easily modify them.
Most importantly it makes the controls incredibly easy to collaborate on by treating them as any other code asset in your software development process. Running compliance scans becomes as common as running unit tests.
Compliance becomes part of the development stage, testing environments and production systems. Chef can execute scans every time they make a change, on a regular schedule or as a triggered event.
Anyone in the IT department, or the business as a whole, can access real time compliance data on demand and use this information to correct any issues that need to be remediated.
The average idle time before identifying a system breach is thought to be 200 days. In a GDPR audit this could cost your business 4% of its global turnover. Imagine if you could identify this on an engineering team’s development workstation before it gets anywhere near a production like system. How would this ability change your business?
Detect, correct and automate compliance
Continuous automation provides an inherent solution for complying with the GDPR privacy by design mandate. Chef helps customers on a journey to continuous automation that starts by detecting issues that could impact GDPR compliance, moves on to correcting those issues and proving compliance, then puts in place automation to make applications continuously compliant.
Its continuous automation platform, Chef Automate, is designed to help organisations achieve success on that journey while reducing risk, improving efficiency, and increasing speed at each step.
>See also: GDPR: What do you need to know?
It’s important that, as GDPR looms on the horizon, businesses make the necessary changes to ensure they’re meeting the standard, but this is not easy.
The introduction of GDPR is an opportunity to rethink how businesses handle their overall compliance responsibilities, and how evolving our InfoSec operations can be part of a larger digital transformation. As a first step, get visibility across your fleet to detect existing compliance risks and prioritise subsequent actions.
Sourced by Joe Gardiner, senior solutions architect at Chef
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here