GDPR: One Year and Counting

Today marks exactly 12 months until the European General Data Protection Regulation (GDPR) comes into effect. With just a year to go, it’s now imperative that companies of all sizes are fully focused on getting their houses in order to meet the strictest set of data protection rules that have ever been passed into law.

From May 25 2018 regulators will have the power to levy punitive damages as high a €20m (or 4% of global turnover, whichever is greater) to organizations who fail to adhere to a series of requirements when it comes to securing the data of EU citizens, including:

•    All breaches must be reported to regulators within 72-hours of the organization becoming aware of it
•    The regulator must also be informed of “effective, proportionate and dissuasive” measures taken/proposed to address the breach and/or mitigate its effects
•    If the breach is sufficiently serious to warrant notification to affected customers, the organization responsible must do so without undue delay

In fact, new data from data specialist Alchemetrics revealed that ICO fines could increase by a staggering 4500% as a direct result of GDPR.

Feeling the Pressure
Companies across the globe are clearly feeling the heat of the impending regulations; research of 900 organizations from Veritas found that almost half (47%) of businesses fear they won’t meet the requirements for GDPR, with 32% doubting their firm had the right technology to cope and 18% worried that non-compliance could ultimately put their organization out of business.

What’s more, only 52% of 500 IT leaders in global organizations surveyed by WinMagic were completely confident that they can report data breaches within 72 hours of discovery to the authorities, whilst less than half (46%) were completely confident that they could precisely identify the data that had been exposed in a breach.

“With the EU’s General Data Protection Regulations (GDPR) a year away, firms around the world are deeply concerned about the impact that non-compliance will have on their bottom line,” said Mike Palmer, executive vice-president and chief product officer, Veritas.

“As we count down to enforcement, it’s imperative that immediate steps are taken to achieve compliance.”

However, as Mark Hickman, COO at WinMagic explained, compliance is not just a matter of avoiding fines; consumers care deeply about the abuse and loss of their data and damage to a company’s reputation can be more costly than financial punishments.

“The reputational damage from non-compliance can far outweigh the €20m or 4% of global revenue fine that a company could receive,” he argued. “There is still time to get the technology and processes and place, but complacency is not an option.”

"Firms around the world are deeply concerned about the impact that non-compliance will have on their bottom line"Mike Palmer, executive vice-president and chief product officer, Veritas.

Time for Action
So, as companies attempt to put concerns aside and look to tackle GDPR compliance head on over the next 12 months, what steps do organizations need to be taking to get themselves in the best position?

According to Robert Coleman, CTO UK&I at CA Technologies, the first step to getting ready in time is debunking the myth that this is an IT problem and creating a cross-functional program of work containing representatives from Legal, IT, HR and Business Units.

“The GDPR introduces a move toward privacy by design, meaning organizations will have to build safeguards into processes, such as testing and development, from beginning to end,” he added. “Over the next 12 months, organizations must become accountable for the Personally Identifiable Information (PII) they hold. They need to know where it resides, how they can secure it (at rest and in-flight) and if they have a breach, how will they know about it?

Sharing a similar view, Ross Brewer, vice-president and managing director at LogRhythm, said that monitoring, detection and response will become a far more fundamental component of a company’s cybersecurity strategy.

“Businesses will require a more coordinated and efficient approach to threat detection that goes far beyond simply deploying firewalls or anti-virus. Having an end-to-end threat lifecycle management process that gives businesses the insight and full facts of a compromise from the offset will be vital, and businesses need to make sure they are adapting their strategies now so that they are fully prepared this time next year.”

"Love it or hate it, GDPR is the EU’s attempt to put consumers back in control of their online data and compel businesses to keep that data safe from hackers"Richard Lack, managing director EMEA, Gigya

Love it or hate it, GDPR is the EU’s attempt to put consumers back in control of their online data and compel businesses to keep that data safe from hackers, and as Richard Lack, managing director EMEA, Gigya argued, any organization, anywhere in the world, collecting personal information from EU residents must comply. 

“The result: existing third-party data in the EU is gone, and no new data will flow to data brokers as a replacement,” he added. “Businesses must, therefore, ensure that they have compliant systems in place to prevent a mass consumer ‘opt-out’ when the new regulations are enforced.”

For many, he continued, this will mean reviewing what structures need to be implemented to remain compliant while ensuring the optimization of customer needs and the associated need for transparency surrounding the use of their data.

“Despite this, all hope is not lost,” Lack said. “Businesses have a year to wean themselves from third-party data and refocus on engaging directly with their audience to obtain first-party data. This might not be the easiest path, but it’s the best way to build committed and long-lasting customer relationships.”

The GDPR will certainly continue to raise many questions over the next year, and no doubt it will result in a lot of sleepless nights for those on the road to compliance. However, it is also an opportunity for enterprises of all shapes and sizes to become not only more transparent in their business processes, but also more secure, enhancing customer trust in the process. It will certainly be a challenge (for some more than others) but the end goal of a safer, more protected digital environment for all is what must be the ultimate objective.

What’s Hot on Infosecurity Magazine?