The European General Data Protection Regulation (GDPR) comes into force on 25 May 2018, and it will have a huge impact on the way businesses store and collect personal information belonging to persons located in the European Union (EU). The regulation applies to all businesses that hold and process data that was collected in the European Union, regardless of their location.
Before GDPR, the EU relied on the 1995 Data Privacy Directive. The Data Privacy Directive proved hard to enforce, and compliance levels varied across the EU. While countries like Germany and the Netherlands employed rigorous controls, there were some countries with virtually no controls whatsoever. The GDPR will tackle this issue and ensure all countries deploy comprehensive controls to keep EU citizens' data safe.
The new GDPR rules are in the form of a regulation—imposing data protection standards that should, in theory, be the same in all 28 EU Member States. Any organisation that falls foul of the regulation will face fines that could be as high as four percent of their global annual turnover or €20 million (£17 million), whichever is higher. Fines of this magnitude could essentially put companies out of business. It is, therefore, critical that organisations start getting their house in order now. However, this is not a simple process, and many organisations will have to deploy technology solutions to help them become compliant with the regulation.
To help organisations understand how the requirements of GDPR affect them, here are five important questions which IT teams should be asking their CISOs to help get their house in order:
Do we have a good understanding of the data we hold and where it resides?
One of the first things IT teams need to do is a Data Assessment Report. This requires organisations to locate any sensitive PII data they are holding and document how the data is collected. This detailed assessment must be kept on hand and ready for regulatory inspection or compliance audits.
However, one of the key challenges is finding that data. When you are a large organisation, this will take more than just a call to your IT department. This is one of the major challenges of GDPR and an issue which all businesses must address.
Who has access rights to the private data and who does access it and why?
One of the clear requirements of GDPR is being able to limit who has access to certain information and making sure that access is authorised and reflects any changes within the business. It's important to analyse policies on data handling, including test data usage, data retention, and data destruction.
It is also very important that businesses understand why someone is accessing personal data. Just because they have a certain position in a company does not automatically give them the right to access all data sources.
How do we monitor who accesses the data, could we detect and investigate a breach?
One of the biggest requirements of GDPR is that any company that experiences a data breach must publicly acknowledge the breach and notify the local Data Protection Authorities (DPA) in the member states where the people affected by that breach reside. Businesses must notify the DPA within 72 hours of identification or confirmation of the breach. They must be able to tell them what data was breached, how many records were taken and provide a member state specific report around the infringement. This requirement essentially means all businesses need to be able to understand who accessed the data, what activity they performed and when they performed it. This is an area where it is important to have strong technology solutions in place, so the business can easily provide the requested information within the 72 hour window.
Do we know how we will minimise the volume of private data used in non-productive systems?
GDPR requires businesses to minimise the data they retain, particularly when they don't actually need it for day-to-day operations. If an organisation does not need the data for business or compliance purposes then the regulation states they should purge the data in a legally compliant manner.
Do we know how we could prevent database data from being accessed of transferred outside the country/ the EU?
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, to ensure that the level of protection of individuals afforded by the GDPR is not undermined. This means that organisations will need a clear understanding of where they are transferring data to and if the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection. Data monitoring technology will play a key role in monitoring activity in real time to prevent data transfers from occurring –even by accident.
Businesses must act now
The GDPR will greatly impact the way businesses collect, store and transfer data, and it is imperative that organisations begin to lay the groundwork now.
Preparation will include carrying out assessments of data, establishing budgets for new technology and implementation of the new processes and solutions to help businesses become compliant with the regulation.
This may seem like a daunting task for many organisations, however the outcome will ensure a much more secure environment for personal data, which can only be seen as a positive step.
Contributed by Cheryl O'Neill, director, Imperva