Aside from people who have been living under a rock for the past few months, we are all very much aware that the much anticipated European Union General Data Protection Regulation (EU GDPR) now has an enforcement date of May 25th, 2018. Whether you’re excited for, or dreading, the new regulation, it’s hard to argue with the fact that the EU GDPR will strengthen and unify data protection for individuals by pushing organisations to align their data management policies and practices with its stringent rules, or face a hefty fine.
In my opinion, it’s almost a bit upsetting that the regulation has to be adopted with such strict measures, as in my book, organisations should already be adhering to industry guidelines and best practices, EU GDPR or no EU GDPR. ISO and NIST in particular are two sets of information security best practice frameworks that have risen in importance, and make good business sense. IT pros would do very well to use these frameworks as a blueprint to define the tasks required to build security into their organisation.
We recently surveyed 460 IT pros in the US, Canada, Mexico, the UK, France, Germany, India, Japan and China to measure the level of importance that organisations place on data protection regulations and industry guidelines, and the results were quite disconcerting. Just under a third of respondents admitted that their company had been hit by a data breach in the last 12 months. This just goes to show that data breaches are becoming the norm in today’s society – this is not acceptable as not only does this prove a very costly exercise for effected businesses, it gives off an air of disregard for customer’s data.
So, we’ve prepared a list of eight top tips that will help to get your organisation EU GDPR ready. Let’s get started…
Step 1. Know Your Data: Institutionalize a Data Discovery Exercise
If you don’t even know what data you’re storing in your system, how can you possibly know if it becomes breached until it’s far too late? Under the EU GDPR, if a data breach isn’t reported 24 hours after detection, you could face a fine of 4% of your organisation’s global group revenue or €20million, whichever is larger. Large fines aside, data breaches being reported months or years after they happened can destroy an organisation’s reputation – just look at O2. The O2 data breach saw hackers steal O2 customer data, including names, dates of birth, phone numbers, emails and passwords. Hackers used ‘credential stuffing’ to breach a gaming site called XSplit and subsequently stole members’ login details from XSplit to indirectly hack into O2 users accounts. The lesson learnt from this debacle is clear: be aware of all the kinds of data on your system, as well as when data needs to be removed.
Step 2. Protect Your Data: Explicitly Catalogue the Protections of Data Stores
Where do your data stores reside? Who controls access? Who has access? What physical and logical protections are in place to keep your data stores safe? In the data-driven world we live in, data should be treated in the same way as a collection of precious gems – avoid the insider threat by knowing exactly who has access to your data stores, as well as ensuring that they can be trusted.
Step 3. Monitor and Enforce Corporate-Wide Data Retention Policies
Plenty of organisations already have written corporate-wide data retention policies, but unfortunately these policies are rarely monitored or rigorously enforced. Don’t let your company fall into the same trap that Hilary Clinton did. The U.S. Department of State has explicit requirements for the retention of the documents and email, yet these requirements are often flouted because they aren’t, or at least weren’t, taken seriously enough.
Step 4. Don’t Be A Hoarder: Ensure That End-Of-Life Data Erasure has a Place in your Policies
One of the reasons that Yahoo holds the world record for largest ever data breach is due to the sheer mass of customer data that it was hoarding in its system – the 2013 breach saw 1 billion accounts leaked. Considering that there are only 3 billion people that use the internet, and the two most popular email service providers are Hotmail and Gmail, it would appear that vast swathes of the accounts leaked during the breach were very, very old. End-of-life data erasure is a crucially important tool in protecting your company from a breach. Remember: always use a certified and verifiable method (and tool) to permanently erase your data so that it can be recovered.
Step 5. Classify Every Different Kind of Data on Your System
Aside from the obvious, it’s important to establish additional classes of data. This includes temporary files, machine logs, browsing history, free disk space and deleted files. Deleting files by, for example, emptying your recycling bin, doesn’t get rid of them completely – secure data erasure is the only way to destroy underlying data for good. Proof of removal is also a vital part of an audit trail, which can be submitted to government agencies, investigatory and police authorities, and regulatory bodies.
Step 6. Don’t Forget to Audit Data Retention Policies, Data Use and Data Erasure
Audit, audit, audit. It’s all very well to do everything right, but if you can’t prove it to the authorities then you may as well leave your data completely undefended. Whether you love or loathe bureaucracy, there is no such thing as too much of it when it comes to data regulation.
Step 7. Hire a DPO (Data Protection Officer)
An early draft of the EU GDPR specified that DPOs were only necessary for organisations with 250 plus employees, but this is no longer the case so don’t get caught out. Under Article 37 of the GDPR, data protection officers must be appointed for all public authorities, and where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. Basically, if you collect and process personal data of any volume, make sure you hire a DPO.
Step 8. Empower Your DPO
Empower your DPO to report outside your internal chain of command to a central data protection organisation, such as the GAO (Government Accountability Office) over in the States. If you’re doing everything right, you should have absolutely nothing to hide.
Data breaches are a daily occurrence at the moment, and if you think they are costly to your organisation’s pocket and reputation now, the EU GDPR will take the burn of a breach to whole new level. The EU GDPR a landmark piece of legislation that will radically change how we treat data for the better. Data is precious; it’s about time organisations started treating it as such.
Image Credit: Wright Studio / Shutterstock