Two years from today - on 25 May 2018 - the General Data Protection Regulation (GDPR) grace period is set to end and the law will become effective.
It will bring in sweeping changes and place new obligations on any business that handles the data of EU citizens, independent of where the business is located. This means that businesses need to get ready for old outdated data protection laws being taken out of action and replaced with the GDPR across all 28 member states.
On the topic of readiness, the research paints a somewhat disheartening picture.
A recent survey by security bods Trend Micro showed that a fifth (20 percent) of UK IT decision makers are still unaware of its existence. Of those that were aware, almost a third (29 percent) didn't think the regulation would apply to their organisation, or were unsure.
And these findings are in no way unique. Research by TRUSTe from early this year showed that 40 percent of respondents in France were not aware of the huge penalties brought in by the GDPR, and in research conducted by the Blancco Technology Group, only 23 percent of respondents said they were prepared for the GDPR.
Michael Hack, SVP of EMEA operations at Ipswitch, told SC, "Our survey of more than 300 IT professionals from the UK, France and Germany found that just 12 percent said they are prepared for the GDPR. In the UK, that picture is even starker: only 5 percent of IT professionals say they are ready. 68 percent said that it would require investment in new technologies. However, whilst the financial burden of compliance will be a significant one for UK business, it looks like the burden of non-compliance will be a whole lot harder to swallow."
Richard Lack, director of EMEA sales at Gigya, said, “With this in mind, it's important that businesses of all sizes understand the cost of non-compliance, as well as the price of manually managing policies in-house. For example, a recent Data Protection Compliance Report by IT Governance shows that monetary penalties were more severely enforced for online breaches and cyber-attacks, costing companies an average of £52,308 per incident.”
But all of that will be moot if the UK votes for Brexit, right? Javvad Malik, security advocate at AlienVault, told SCMagazineUK.com that's not correct. “Regardless of whether Britain chooses to stay within the EU or not, the implications will remain more or less the same, as law firm Allen & Overy explains in this research,” he said.
In search of compliance
So what are some real-world steps an organisation can take to become GDPR compliant? The experts SC spoke to agreed the first step is to have a good look at all the data that flows in an out of companies, how long it's stored for, for what purpose and see who is looking at it.
Yves Le Roux, CISSP and co-chair of the (ISC)² EMEA Advisory Council, told SC, “An effective Data Privacy Management strategy should not just take into account the need to comply with the legislation, but also the most cost-effective way of doing so. This should include working with the board to compare the cost of a fine for a particular data breach with the cost of buying new technology to comply with the law.”
Le Roux currently leads the (ISC)² Policy Group, a volunteer-led effort currently assessing readiness for GDPR as well as the EU's Network Information Security (NIS) Directive. “To guarantee transparency, it is vital that any data privacy management strategy is subject to independent review; the person responsible for creating the strategy (the Data Privacy Officer) must be independent from the person implementing it (typically the CISO). A data-privacy management plan should include preparations for a worst-case scenario, including a plan for how to inform customers in the event of a data breach and how to minimise reputational damage,” Le Roux said.
Eduard Meelhuysen, VP EMEA at Netskope, suggested that, “organisations should take a hard look at how their data are shared and stored, focusing in particular on any cloud apps in use across the organisation. The GDPR makes specific provisions for unstructured data of the type created by many cloud apps, data which are typically harder to manage and control. That means organisations need to manage employees' interactions with the cloud carefully as a key tenet of GDPR compliance.”
David Mount, director of security solutions consulting EMEA at Micro Focus, said: "Businesses should limit access to data to only those who need it and ensure good data hygiene by keeping authentication practices up to date. Historic data could pose an unnecessary risk, so it may also be worth deleting this to lower the potential impact of any security breaches."
Andy Green, senior technical specialist at Varonis, said: "Overall, the best first step in meeting PbD [Privacy by Design] is to know your data – all your data, including unstructured content—and analyse who's accessing it, how old it is, where it's located, and what's in it. So when a request comes from consumers who exercise their GDPR right to revoke access or erase their personal data, the companies can meet the request.”
David Moseley, global solutions lead for information governance at Veritas, said: "The first step towards compliance for businesses is visibility and insight. That means understanding all the personal data a company holds and making an inventory of all processing activities, including storage. Given that 13 percent of all businesses don't ever analyse the value of their data, this might be a time-consuming task, but this can be eased by selecting the right tools and establishing robust procedures early. Checks and balances to prove the effectiveness of these tools and procedures will need to be put in place to ensure that organisations have the ability to provide total visibility of all personal data stored.
"The next step is then to work out if that data is really needed, and to delete what cannot be lawfully retained. With only 15 percent of the data businesses store being recognised as business critical, there's also an opportunity here to offload redundant, obsolete and trivial (ROT) data, which is expensive to store and mine. Finally, companies will have to establish methods to ensure that going forward, dark data hoards do not reappear and that all personal data is managed in accordance with the GDPR and future legislation.”
Neil Thacker, deputy CISO at Forcepoint, said: "The first task in the path to ensuring the security of personal data is to identify whether organisations are considered a data controller or processor. They must then review the relevant obligations these carry, such as issuing notice to citizens and maintaining relevant consent from the data subject. It must become common practice to regularly review existing and new business processes to identify Personal Identifiable Information (PII). Then businesses can discover where this data resides – whether it is at-rest, in-motion and/or in-use – have a record of processing activities and understand how this data is protected."
Rick Powles, VP EMEA at DruvaFirst, said: “[You must ensure] that all customer data sets are secured and encrypted, as well as tracking who is allowed to use or create new copies of customer data records. Data on company IT assets should be collected and copied to provide a backup. Making use of public Cloud services can help reduce unnecessary redundancy and use of multiple services, ensuring that the cost of protecting data for DR and compliance is reduced over time. Following this, get control over all your data. GDPR will mean that companies will have to make any stored information available to customers or users in a format that is clear and understandable. If a customer wants to move to another company, then the data around them should be in a portable format too."