This month, the European Parliament passed the final vote for the new General Data Protection Regulation (GDPR) and MEPs agreed to update existing legislation to make it more relevant to modern technology.
While the new laws won’t be enforced for another two years or so, this is still a relatively short period considering businesses will need to get to grips with the new requirements, evaluate their existing security measures and navigate the path to full compliance in that time.
This news has been a rather long time coming, considering the first proposals for the GDPR were released four years ago. However, it’s even more overdue when you consider the steady drumbeat of data breaches at high profile brands that we’ve seen during that time. From a legal perspective, Europe has historically suffered from a muddled and uneven data protection fabric, with a series of discrete regulations in force. In short, something urgently needed to change.
Cybersecurity and the GDPR
The cybersecurity landscape is rapidly changing thanks to our increasingly digital lifestyle, the proliferation of connected devices and an evolution in the way that information flows through an organisation. As data becomes more available to business users, for example, this in turn makes it far easier for cybercriminals to access and abuse it. With the UK Data Protection Act fast becoming outdated, the GDPR presents a new, unified solution to protecting sensitive information, one that is consistent across the region and able to better protect information in this era of social, mobile and cloud-based sharing.
Understandably, the new regulation will have several implications for businesses processing data belonging to EU citizens – irrespective of their location – and preparations must be made to ensure compliance and avoidance of increasingly strict penalties. When enforced, the GDPR stipulates that data breaches must be reported to the relevant authorities within 72 hours of discovery if they’re likely to jeopardise the rights and freedoms of individuals affected, and records must be kept of all such incidents.
Regarding the aforementioned penalties, non-compliant organisations now face fines of up to four percent of their global revenue or €20,000,000 – whichever is higher, which will undoubtedly have a serious impact on a business’ bottom line. For less severe incidents, the fine will be reduced to two percent of revenue or €10,000,000.
What should be classed as sensitive data?
A key question to consider is that which concerns the definition of ‘sensitive data’. As we place more information online, this is a definition that is constantly evolving, and as such the term has been recently expanded to include genetic and biometric data, as well as online identifiers such as cookies, RFID tags and IP addresses. Whenever an organisation processes such information, it must first conduct a thorough audit of protective measures around that data, including safeguards, security and mechanisms to lower the risk of exposure and ensure compliance with the GDPR.
For many businesses, getting IT security right is a difficult challenge. We have witnessed big breaches at high profile brands from VTech to TalkTalk to Target, as well as the damaging fallout from a financial and reputational perspective. The GDPR offers a chance for organisations to seriously analyse their existing security mechanisms against a set criteria that will not only strengthen their cybersecurity position but also lessen the risk of a very expensive breach. For many, this process of adaptation will be difficult, time-consuming and costly, so it would be a good idea to start making mapping out future-proof security strategies, planning for the changes and investing in suitable technology sooner rather than later.
With cybercriminals going to extreme lengths to get their hands on sensitive or lucrative data, the ultimate goal for organisations should be to protect that data at all costs. We are living in an age where data breaches are almost inevitable, so it makes sense to defend data with encryption so that it remains illegible and virtually useless if and when it falls into the wrong hands. An inventory must be taken that accounts for all data that is produced, processed and stored so that full insight can be gained into how and where the information flows. A default strategy of ‘encrypt everything’ will be critical to ensuring compliance, and today’s advances in technology mean that encryption is no longer an expensive nor cumbersome process – in fact, it is now faster and easier than ever before to secure data with encryption, so there is very little excuse for organisations failing to do so.
That said, while this is a good start, effective protection must go beyond encryption – particularly when considering the threat from within. Access controls are an important extra layer of defence, ensuring that only users with the appropriate level of authorisation can access certain data sets. Once a user is granted access to an encryption key, their usage is fully controlled and accounted for, enforcing rules on data entitlements, preventing the sharing of access with another user as well as other factors such as time of day.
With these basic measures in place, organisations will be better placed to operate in a post-GDPR world. However, things change and it is important not to become complacent. Instead, data security should be considered a constant work in progress, with regular testing and evaluation of the effectiveness of these tools built into the overall data protection strategy.
In summary, the GDPR is a definite step in the right direction, and will hopefully bring about much needed change to organisations currently falling behind on critical security requirements – but although the deadline may seem far off now, it will most certainly creep up on us, with devastating consequences for those who failed to take heed.
Louise Bulman, Vice President & General Manager EMEA, Vormetric