Doing business in the EU? Get ready for GDPR compliance with RES
It seems like every day brings another news story about a new security threat or data breach, so it isn’t surprising that we are seeing new and stricter regulations around data protection. Last week, the EU approved General Data Protection Regulation (GDPR) to establish formal regulations and a more modern framework that is required to be adopted across the European Union by April 2018. These stricter provisions combined with bigger motivation for businesses to comply will result in more confidence among the public that their personal data is secure (especially when interacting with businesses online).
The new regulations have a two-year implementation period, so any organization doing business in the EU has until April 2018 to adopt policies and implement appropriate measures around processing and accessing personal data before the new rules will be enforced. Yes, you read that correctly! This data protection law not only applies to businesses established in the EU, but to all businesses worldwide who are collecting customer data in the EU (no matter where data processing takes place). GDPR has a huge reach and will apply to a huge number of businesses around the world.
Unlike previous directives, GDPR has established some serious consequences. If businesses do not comply with provisions, they could be fined €20m, or up to 4% of total worldwide annual revenues. The commission has made it known that these regulations will be enforced, so if organizations don’t comply, they will have to face the music. Those who manage security for the organization should not just be looking to check a compliance box, but to evaluate their existing solution and implement a complete strategy to protect themselves. This means that it is time to start taking data protection seriously and begin immediate planning for compliance.
Some organizations might already have a data protection strategy in place that addresses security incidents, but that doesn’t mean they are meeting the new provisions. GDPR encompasses many aspects of data protection, such as data processing, collection purposes, adequacy, accuracy, retention, rights of the customer, security and transferring data across borders. Over the next two years, implementing best practices and best-in-class solutions in these areas will be the path to compliance.
No matter how far along your data protection strategy is, it is important to take a step back and consider asking a few questions around how protected your data is from both external and internal threats, as well as how much control you have over who, when and where your data is being accessed :
- How do you protect against breaches, ransomware and other security vulnerabilities?
- If a breach occurs, how quickly do you believe you can restore the user workspace so they can continue working?
- Do you adequately protect against internal threats introduced maliciously or carelessly by individuals with access to your network?
- How do you ensure secure onboarding and offboarding of users to avoid unauthorized access once they leave the organization or their role changes?
- Do you have a way to automate identity management to align user roles and functions to appropriate qualifications for applications and services?
- How do you ensure users with access to customer data require it to complete their job and that access is restricted to secure and approved contexts?
- Do you have total control over what users can and cannot do on company-issued devices?
- Can you lock down the data that can be removed from the network (e.g. via USB port)?
- How do you track who has access to what customer data to ease the auditing process?
After considering your answers, there might be a little work ahead of you to ensure that your data is meeting GDPR provisions. This is where RES can help – we recommend that organizations augment their traditional security approach with a more people-centric approach to security and access management. Our approach can help with GDPR compliance by ensuring identity and access controls are context-aware and that IT can protect internal workers from introducing threats into their environment. Not only can we help you implement data protection automation and best practices, but you can easily meet internal and regulatory deadlines with our quick time to value.