Data breaches and related identity theft have reached epidemic proportion. According to a recent global survey by KPMG International, for example, more than half (55%) of consumers said they had abandoned online purchases due to privacy concerns. The survey also found that less than 10% of respondents currently felt they had control over the way organizations handle and use their personal data.
This sort of trend is bad news for a world moving towards the adoption of a digital economy. Online shopping, instant access to financial information, and the ability to electronically access and secure services are changing people’s lives and the way that organizations conduct business. This is not the time for a drop in consumer confidence.
The General Data Protection Regulation (GDPR) is the European Union’s response to the risks associated with the increased role that technology now plays in everyday life. GDPR was ratified by member states in April 2016, and goes into effect on May 25, 2018. Although it is an EU regulation, it also applies to any organization –regardless of their physical location – if they collect the personal data of EU residents.
The objective of the new regulation is to ensure that adequate protection is incorporated into the process of collecting personal data “by default and by design.” It requires organizations to collect only the minimum amount of data needed for a specific purpose, and to then completely remove it when it is no longer needed. The regulation also defines individuals as the sole owners of their personal data, and not institutions or corporations. As the owner, these individuals must be able to withdraw their consent to the collection of the data as easily as it was to give permission.
The trick for many organizations will be that the GDPR gives individuals the “Right To Be Forgotten” (RTBF), which means that when they discontinue their relationship with an organization they can take their personal data with them and all personally identifiable information (PII) must be removed. This includes any data that could potentially identify a specific individual, that can be used to distinguish one person from another, or that can be used for de-anonymizing anonymous data.
In the case of a data breach, GDPR also sets out the conditions of when notification must be made, and establishes out two levels of penalties depending upon the severity of the breach. Minor violations call for penalties of up to 2% of worldwide turnover or 10M Euros, whichever is greater, and major violations call for penalties of up to 4% of worldwide turnover or 20M Euros, whichever is greater.
Due to the rapid change in technology, GDPR also places the burden of “continuous risk assessment” on the institution controlling the data, and requires that any outside organization processing data also be GDPR-compliant. As a result, both the effort of achieving compliance, and the risks associated with failure to comply, will increase dramatically with GDPR. In fact, it is estimated that over 50% of organizations will not be in compliance when GDPR goes into effect.
GDPR applies to any organization, in any country, that collects, stores, or processes the personal data of EU residents. This includes data from employees, business partners, prospects, and customers. In regulation terminology, such organizations are defined as ‘controllers’, meaning those who determine how and why the personal data is processed, or ‘processors’ who act on the controller’s behalf. Both have increased obligations under GDPR, and both could face penalties for failure to comply or in the event of a breach.
The implications go far beyond a regional regulation that simply impacts EU companies or organizations that touch EU personal data. Instead, this is likely to will lead to a broader expectation by people everywhere that the level of protection and visibility required by GDPR should become the “new normal,” meaning customers will expect that if companies are able to offer that level of visibility and control of PII for EU consumers, why can’t they just extend it to the rest of world? This has tremendous implications for where the bar is set on “how secure is your data,” and will fuel the appetite of customers for solutions that will help them get from where they are today to where they want to be in terms of security and control of their personal information.
For most organizations, especially international enterprises, complying with GDPR will be a lengthy and significant challenge. In addition to the impact on information and security technologies, GDPR compliance will require changes to some core business processes, including data processing workflows, organizational structures, and even core business policies. And unlike similar regulations, today’s rapidly evolving digital business model means compliance will require the ongoing assessment of the risks associated with the adoption of new technologies.
This process is going to require taking a fresh look at existing security solutions and strategies. Network security will not only need to actively prevent intrusions originating from anywhere across the distributed and elastic network ecosystems. It will also need to minimize the risk of serious breaches by reducing the time taken to detect and respond to new threats. To achieve this requires a broad, powerful, and automated approach to security.
The Fortinet Security Fabric allows organizations to harness the collective power and intelligence of Fortinet’s portfolio of security solutions to collect and correlate threat intelligence, actively detect and isolate threats, and automate a coordinated response across the entire network.
Such an approach allows organizations to extend visibility deep into their infrastructure, and more importantly, into their data, so they know where it is, who and what have access to it. It also allows them to demonstrate compliance with regards to protected privacy and verification of its secure storage, use, and removal.
Fortinet’s security solutions are designed to be both scalable and interconnected. They combine high awareness, actionable threat intelligence, unified management and orchestration, and a combination of common operating systems and open API standards to work as an integrated whole, providing seamless protection across even the most demanding enterprise environments. And for additional piece of mind, each component of the Fortinet Security Fabric has also independently earned the highest third-party certifications for security effectiveness and performance.
Another advantage to an integrated security strategy is the reduction of complexity, which can significantly impair your assurance of compliance. With a security fabric strategy you can tangibly simplify your infrastructure, while at the same time taking a step beyond the capabilities of a discrete NGFW to a complete and interactive security framework that acts as an integrated whole. This approach extends visibility across the entire networked ecosystem, and reduces the time-to-detect for threats and vulnerabilities. This sort of next-level, holistic security infrastructure is essential for organizations hoping to meet GDPR requirements long-term. Without it, it’s just a matter of when, not if, they will be found out of compliance and have to pay.
This byline originally appeared in CSO.com.