GDPR: Ready or not, here it comes

After almost four years of lobbying and intense negotiations, on 14 April 2016, the European Parliament approved the enactment of the General Data Protection Regulation (GDPR).

This law, which comes into force on 25 of May 2018, aims to strengthen and unify data protection for individuals within the European Union. At the same point in time, British businesses find themselves facing a unique set of challenges. A decision on Brexit looms and organisations are experiencing an ever-increasing risk of falling victim to cybercrime.

Moreover, these challenges are set against an already complex enterprise IT backdrop, as revealed by Code42’s 2016 Datastrophe Study. The findings - which aggregated the views of 400 enterprise IT decision makers (ITDMs) - showed that as much as half (50 per cent) of ITDMs believe that the security measures they have today will not meet the new regulation. In addition, a further one in four (25 per cent) admitted that their companies are not doing enough to protect data.

Ultimately, all of the above means that UK enterprises are entering a time of rapid change, under significant risk and new accountability systems. The question is, what can they do to protect their company’s most vital asset - its data - right now and in the future?

First things first

Let us address the elephant in the room. Brexit is a real threat for UK businesses today. It is causing uncertainty in the financial marketplace, and is leaving IT on hold in terms of making a decision about the future of data protection. The thing is, Brexit is irrelevant as contrasted by GDPR. Regardless of what happens in the referendum, it is highly likely that the UK would still have to follow the GDPR. And, the bar could also be set higher than the regulation, rather than lower, since the UK would want to be able to reassure the European Union that its data protection laws are on par, or superior, so as to not scare away foreign investment.

In the event of a Brexit, the UK would no doubt apply for its own data protection laws to be seen as adequate in the eyes of the EU, akin to the adequacy decision the European Commission made in favour of Canada six years ago. The bottom line is that businesses still need to be preparing themselves. In fact, data protection should be at the top of the boardroom agenda right now.

Focus on the things you can change

Making changes in IT security in an enterprise-sized business takes time, there is no debate about that. But this is not an excuse to suffer from analysis paralysis. Right now, with cybercrime becoming more and more prolific and attacks ever more complex, savvy ITDMs should be focusing on the data they can protect immediately.

The catch is, this data is no longer safely tucked away in the datacentre behind firewalls and several layers of security. Some of the most precious, if not business critical, data your organisation has is available on the endpoint. It is on the move, in the hands of end users - on their laptops and mobile devices. In fact, according to Datastrophe, ITDMs believe that as much as 45 per cent of corporate data is now held on endpoint devices.

The good news is you can acquire visibility into what data is on endpoints right now, through implementing modern endpoint backup. The right backup and endpoint data protection solution will give IT full visibility and control of all data residing on, or passing through, endpoint devices. This information, held in a central repository, will also prove to be an invaluable resource that can be leveraged to help overcome some of the challenges of the GDPR. It could help your enterprise keep on the right side of this new compliance standard, as it will enable you to quantify and remediate any event affecting data in a timely manner. And in the case of a breach, it will enable you to report this quickly and efficiently - minimising the risk of your company having to pay out as much as €20m or 4 per cent of its annual turnover, whichever is greater, in penalties.

Do not underestimate the power of communication

ITDMs have a duty of care to raise data protection concerns into boardroom level conversations. CIOs and CISOs have to expose the rest of the c-suite to the real business impacts of not taking action to protect the company’s data or holding off on making the business GDPR compliant. Luckily for them, and unfortunately for others, these IT influencers will not have to look far to find real world examples - after all, just recently a very famous British company lost 101,000 customers and £15m in revenue after a hack that exposed its customer data.

But communication cannot stop at the c-suite. ITDMs also have to ensure that their end-users are doing everything in their power to help to protect the enterprise and ensure it remains compliant. This should be done through regular IT security workshops with staff, and of course by implementing technology that will help employees do their jobs without interruptions so that they do not feel the need to circumvent security.

It is only when everything is in place - a future proof data protection strategy, the right technology stack and employees at all levels working together - that your business will stand a chance of overcoming the challenges of modern cyber security threats.

This can only be done by taking a proactive stance on data security and being willing to take a hard look at the things you can do now to ensure future success and full GDPR compliance.

Rick Orloff, CSO at Code42

Image source: Shutterstock/Wright Studio