Preparing for the GDPR: What Security Needs to Know Now
The famous countdown clock in Times Square has just ushered in 2018, but there’s another clock that’s ticking – the one that marks the coming of the European Union’s General Data Protection Regulation (GDPR). This new set of stringent rules governing data protection massively impacts organizations around the world.
However, despite a two-year ramp-up time, a recent IDC survey of small and mid-sized European companies found that 22 percent of respondents didn’t even know what GDPR was. Of the companies that were aware of it, one in five had not begun preparing for it. And the Compliance, Governance and Oversight Council reported that only six percent of 132 compliance officer respondents worldwide feel their organizations are currently GDPR compliant.
Below is an overview of the regulation, along with what companies can do to make sure they are prepared for the May 25 effective date.
What the GDPR Requires
The GDPR’s official site calls it “the most important change in data privacy regulation in 20 years.” The goal of the GDPR is to unify data security, retention and governance legislation across EU member states to protect its population’s data. All companies with more than 250 employees that process the personal data of people residing in the EU, regardless of the company’s location, must comply.
Personal, banking, health and credit card information are examples of the sensitive data that this regulation requires greater oversight for regarding how it is stored and transferred. Most organizations will need to appoint a Data Privacy Officer who reports to a regional authority, as well. EU residents have new rights, including data portability, the right to be forgotten (erasure) and to be notified within 72 hours of the discovery of a data breach.
The EU has set up significant fines for non-compliance to encourage companies to comply. Organizations can be fined up to four percent of annual global revenue or €20 million – whichever is greater. It’s important to understand that these rules apply to both controllers and processors, which means clouds will not be exempt.
An unintended consequence of GDPR is that a hacktivist will be able to add insult to injury by not only breaching your network and stealing data, with all those associated financial and reputation costs, but also making you susceptible to additional fines imposed by the new regulation.
Are You Prepared?
To prepare for GDPR, general guidelines include:
- Determine your role and responsibilities as an IT security leader under GDPR;
- Appoint a Data Protection Officer (DPO) to lead the task force to address GDPR compliance challenges;
- Review personal data processing operations and evaluate cross-border data flow compliance;
- Establish and maintain an internal framework for accountability;
- Institute a comprehensive central business registration and documentation of data processing activities; and
- Get legal advice when implementing processes related to GDPR.
In addition, here are three security-specific tasks to complete.
1. Take cybersecurity seriously and invest in a front-to-back, complete security infrastructure.
- Consider using Endpoint Detection and Response (EDR), an emerging technology. It is a category of tools and solutions that focus on detecting, investigating and mitigating suspicious activities and issues on hosts and endpoints.
- Consider using Network Behavior Anomaly Detection (NBAD) – the real-time monitoring of a network for any unusual activity, trends or events.
- Look at cloud, app and database behavior to detect anomalies that can indicate threats and compromise.
- Reduce the attack surface with patching and configuration control.
- Segment networks and reduce single points of failure.
- Reduce access scope and rights.
- Build resilience so teams and products can recover quickly from incidents.
- Move away from fetishizing “the wall;” the perimeter no longer exists.
2. Educate employees on best practices as it relates to cybersecurity and privacy.
- Understand that hackers are targeting you constantly.
- Make sure your software is up to date.
- Look out for suspicious emails and calls to obtain your information (phishing).
- Use caution when clicking links online and in emails.
- Choose strong passwords and password management practices and solutions.
- Keep sensitive data secure and off your laptops and mobile devices.
- Don’t leave your devices unattended.
- Always back up your data in case of a ransomware attack.
- Make sure your antivirus is up to date.
3. Enable the very basic security mechanisms and protocols for all individuals with access to the network, such as firewalls and antivirus software, at the user level.
The GDPR is coming, and no one can afford to ignore it. Use the information above to ensure that your organization has the people, technology and processes in place. These steps will help with compliance, but even more importantly, they will create a stronger data defense system that both your organization and its customers will benefit from.