Business & Technology
The European Union's General Data Protection Regulation (GDPR) is scheduled to come into effect in May of 2018. While this is a regional regulation, the nature of today's interconnected economies means that it has global implications. GDPR clearly establishes the rights of EU citizens to control their personal data, while imposing new responsibilities on organizations to protect that data.
New protections for personally identifiable information (PII) include an individual's right to explicitly approve the usage of their personal data, as well as the right to be forgotten; which enables individuals to demand that an organization purge any personal data about them. In addition, it imposes a requirement that organizations publicly report any data breaches impacting EU persons within 72 hours of their discovery.
The EU intends to enforce GDPR through a series of stiff fines, sanctions, and injured-party compensations. These fines range from up to 10 million euro, or 2% of an organization's revenue for minor infractions, to 20 million euro, or 4% of an organization's revenue, whichever is higher. These regulations aren't just for EU-based organizations. In fact, they apply to any organization doing business in the EU or with EU citizens, regardless of size or industry.
These new regulations are in line with the EU's traditional practice of using high-profile cases and fines to get the attention of the marketplace. Traditionally, Europe and the U.S. have approached regulatory compliance differently; the EU regulates, while the U.S. litigates. Of course, GDPR is about much more than the penalties. This is also about protecting individuals, while ensuring that companies remain viable in today's new digital economy.
We are in the midst of one of the most far-reaching evolutions in the history of the global economy, and it is primarily being driven by digital transformation. But cybersecurity needs to be much more than simply a defensive mechanism. It needs to be an enabler of digital transformation. To achieve this, organizations need to focus on building a comprehensive cybersecurity architecture that protects themselves and their customers regardless of where they conduct business, allowing organizations to securely expand wherever and whenever they need. This requires a security framework that can see and share threat intelligence, adapt to network changes, and automatically respond regardless of where a breach occurs.
Unfortunately, because most organizations do not have such a system in place, a significant number are not going to be ready to meet these new requirements. For example, a recent survey found that 61% of U.S. businesses have not even begun to prepare for GDPR, and that 50% will not be able to comply with GDPR when it goes live.
Part of the problem is that most cybersecurity solutions were never designed for the sophisticated threat landscape they now need to protect. As a result, weeks or months regularly lapse between an initial exploit and the detection of that breach. And because so much time passes, it can take further weeks to accurately assess the breadth and scope of a successful compromise that has managed to infiltrate deep into a complex and highly distributed network environment. Part of the challenge with compliance, therefore, is that because most cybersecurity solutions were never designed to gather, share, or correlate data, most forensic analysis is still done by hand. Changing this is going to require rethinking and retooling your cybersecurity infrastructure.
The other reality is that due to the sophistication and velocity of today’s attacks, breaches are going to happen regardless of whatever countermeasures organizations take. GDPR has set a 72-hour window to report data breaches without penalty. This means that organizations need to find solutions that move beyond the perimeter and deep into the core of the network, allowing them to uncover breaches as close to the time of infiltration as possible to minimize both the impact of an attack as well as any potential penalties for failing to see and report it. This also means organizations need to have technologies and policies in place that allow them to get out in front of breaches when they occur, such as backup and recovery strategies and dynamic network segmentation for rapid detection and remediation.
Rather than seeing these new regulations as challenges or barriers, organizations would be better off by viewing them as an opportunity to achieve competitive differentiation, as a way to drive digital trust of their brands. Consumer confidence is already being influenced by their perceived risk of conducting transactions with online businesses, or whether their personal data is at risk of being compromised or stolen. Meeting or exceeding regulatory requirements will go a long way towards assuaging those concerns.
The question is - where to begin? A security and data privacy assessment is a good starting point. This starts by understanding your business and brand; what you do, what your short and long-term goals are, and why customers, partners, and employees trust you. Next, you should identify and examine all of the elements of your business that are at risk. Finally, you should implement a risk management strategy designed to protect, detect, report, and respond regardless of where in your distributed network a security event takes place.
To that end, here are six things every organization needs to consider as they prepare to meet the new requirements of GDPR.