If you answered “no?”, you're not alone.
The European Union's new General Data Protection Regulation (GDPR) will come into force on 25th of May 2018. GDPR requires organisations to put in place an appropriate governance framework when they collect and process personal information and empowers individuals to take control of their data.
To put it simply, the new regulation is the biggest change to data protection law in 20 years. Practically every aspect of the old legislation has been overhauled and modernised. At its heart is the idea that privacy is a fundamental right. To meet that principle, organisations, big and small, must radically change the way they manage their own data and their customers' data.
Any breach where organisations have failed to adopt reasonable security measures, and fail to report a breach within 72 hours of discovery, can result in fines up to €20 million or four percent of global annual turnover, whichever is greater. This will be determined by the type of breach and impact to the privacy of the data subject and their information.
To complicate matters, organisations are faced with an attack surface that is growing inexorably according to a recent ENISA threat report. The increasing use of BYOD and home-working schemes, with employees carrying their devices everywhere, has expanded the security perimeter so that organisations' physical borders have become a honey pot for cyber-criminals. So how can you be confident that your organisation is creating the right framework to help safeguard against a security breach in a post GDPR world?
Organisations should consider the following to strengthen data governance and be GDPR compliant in 2018 and beyond:
1. Update your governance framework, with board awareness, management statement, risk register and accountability.
2. Understand EU-GDPR and how to comply: launch a data inventory to understand where your data resides, how it flows across your organisation, how to protect it and who the processors of it are.
3. Appoint and train a Data Protection Officer (DPO): the DPO will work with CISO's and IT to monitor and control data movement and use. With data sprawled throughout an organisation with no central control, this will be no easy task.
4. Launch a technical and compliance gap analysis: initiate a cyber-threat assessment to assess your real threat exposure, limit potential damage by strengthening protection to control what and who needs to be notified.
5. Remediate, strengthen weak links in the data chain and monitor: enforce your network security with policies, automated security architecture and threat detection services to streamline risk detection and mitigation for any point in the supply chain where access to data is needed. Working with Managed Security Service Providers (MSSP) or Security Operations Centre service providers is a silver bullet type solution you may want to consider if you are restrained by budget and a dearth of skilled security professionals.
6. Implement a Data Breach Response Process: this is a key process for you to implement between your business and your MSSP to ensure any breach is reported within the 72-hour timeframe.
7. Implement a privacy compliance framework, such as ISO27001 (an information security standard) or Cyber Essentials across your business to cover data flow audit results.
8. Audit and continually improve: implement vulnerability scans and penetration tests on a regular basis to ensure your estate is maintained and up to date (patch management) and run regular risk assessments across your defined scope.
Contributed by Jean-Frédéric Karcher, head of security, Maintel
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.