The General Data Protection Regulation (GDPR) is a big topic of discussion at round-tables these days especially as we count down to the deadline of May 25, 2018. In the world of cybersecurity, professionals are restless with drive for the compliance.
The best way to prepare for and deal with the GDPR is to focus on the provisions that apply to your organization and begin action. Remember, only three articles out of ninety-nine are information security-related. The regulation expects a lot of business and culture changes. To dissect the provisions, there is need to carry out data classification and risk assessment identifying the data management gaps that could form infringement to GDPR.
To help create more clarity on the gray areas, here are some things that GDPR is definitively not, along with explanations of what it really is, to help you better prepare yourself and your organization for this wide-reaching new privacy regulation.
Many believe that since the regulation is called the “EU General Data Protection Regulation,” it applies to those operating in EU. Not really. Every organization that processes, stores, or handles the data of EU residents whether in or outside EU will be impacted and must prepare to comply including many companies in Africa, US, Middle Eastern and beyond.
The GDPR is a regulation not a directive or a friendly suggestion. It is legislatively binding and enforceable. The exact implementation and enforcement will vary from country to country, but GDPR is very much a set of laws and not an optional directive.
If you process or store the data of EU residents, not following GDPR is a significant risk to take on. The sanction is something not anyone should mess around. Any breach can attract fines as high as 4% of annual revenue or up to €20 million or whichever is higher.
It has been noted that 80% of businesses admit that they are not ready for GDPR. Moreover, 22% are not even aware of the regulation, while 52% say they know about it, but the impact to them is not clear yet. Of those who are aware, 20% admit to being completely unprepared; 59% are at least somewhat unprepared. The most alarming is that Gartner recently that 40% of organizations will be in violation of GDPR by 2020. Are you one of them? It’s time to get to work. Mitiget can help.
GDPR covers any information related to a real, live human being or a “Data Subject” as referred to by the regulation. It means any information that can be used to identify the person (directly or indirectly) is covered. Your organization must understand its data covered in the regulation, where that data resides, and how you will protect and monitor it. Some of the relevant data types are:
Social media posts
Computer IP addresses
GDPR is not a security legislation, even though it has some provision for security. However, the two keywords to focus on are privacy and control. The intent behind GDPR is less improving security and more guaranteeing stronger rights to data privacy. So while there are many security implications around the regulation and security benefits to adhering to it, it is at its heart designed to guarantee and preserve privacy.
As with many other compliance frameworks, going through a GPDR audit and preparation exercise is not something you can do once and then move on. You need to implement continuous and comprehensive controls that you can verify and tweak at any time. This includes continuous monitoring of user activity to identify and prevent instances of data loss and misuse. GDPR wants organizations to build in privacy by design, and that is an ongoing process that must be budgeted for, with appropriate human resources delegated to the effort on a long-term basis.
One of the most challenging aspects of GDPR is the requirement to respond very quickly in the event of an incident. In case of a breach, you must notify the supervising authority within 72 hours and affected data subjects “without undue delay.” In practice, this means, if you haven’t already, you need to implement a highly sophisticated detection, alerting, and response process for any of your systems that store or process EU resident data. It also means maintaining clear and detailed audit trails that can help you demonstrate what happened, why, and how—and enable you to put together a plan to avoid similar incidents in the future.
While GDPR obviously has a big impact on technological systems and may require heavy investment in software and technology at your organization, it is not a systems problem alone. GDPR asks organizations to conduct effective awareness for staff involved in processing operations and auditing, to ensure that your people understand what it takes to protect customers’ privacy and are able to take corrective action in the event of an incident.
Ready or Not, Here GDPR Comes!
To meet GDPR, Mitiget helps organizations achieve data privacy and protection by design and by default. We empower teams with:
Visibility into what users are doing and how they are handling personal data;
The ability to anonymize all user data;
Detection of data exfiltration, loss, and misuse;
Investigational tools to help you notify authorities quickly about any data breaches, with full context at-hand.