GDPR 2018: More than just compliance

null

As 2018 nears, there is one topic that continues to dominate boardroom agendas – the General Data Protection Regulation (GDPR). Since the regulation was introduced in April 2016, organisations have needed to adjust and educate quickly to comply to the new regulation. GDPR will overhaul how businesses process and handle data. Failure to do so could cost organisations four per cent of their annual revenue in fines.   

To meet the new protection laws by May’s deadline, organisations are integrating policies and initiatives to safeguard the data of EU individuals and prevent information getting into the wrong hands. But this has not been without its challenges. Members of the Fortune 500 will spend a combined $7.8bn to avoid falling foul and are already spending significant sums to recruit new staff and redesign products and services. Facebook is just one company that has spent millions already to upgrade existing policies to meet the new regulation.   

But while the initial adjustment period to GDPR will be difficult, the regulation also opens up new opportunities for businesses. It will encourage companies to consolidate personal data into a unified platform – so data can be easily located, anonymised and reported on. Boosting security initiatives and controls will also bring better visibility of data storage and management, enabling more transparent handling of customer personal data. Companies covered by GDPR will be more accountable for handling personal information – and to make this a reality, these are a few trends we expect to see in 2018.   

Growth of Security Apps 

As cloud adoption and mobile devices continue to grow within the enterprise, organisations are beginning to tap into the value that applications and services are enabling in the path towards better security and compliance. Okta’s Businesses at Work research, which analyses the most popular and fastest growing apps in the enterprise, discovered that security apps are increasing in adoption in the gear-up to GDPR.   

Email and cloud security software Mimecast, for example, has seen a boost in growth as organisations look to improve their information security measures. Mimecast grew 141 per cent across Okta’s EMEA customers in the past year, and has seen a 34.5 per cent growth in adoption in the UK over the past six months alone. This shows how organisations across Europe are becoming more aware of the complexities of GDPR and are using these applications to help compliance.  

Yet, this growth is only set to rise as more and more organisations look to move away from traditional, on-premise solutions and shift focus on digital offerings to help navigate GDPR. Research from MarketsandMarkets found that the digital transformation market is set to grow from $205.99 billion in 2017, to $493.29 billion in 2022, which indicates a promising time for digital security services to offer assurances for organisations in the age of GDPR. 

Integrating the ‘Accountability’ Mindset at Every Level 

The second trend we will see as organisations prepare for GDPR is a shift in mentality; specifically, how each party in the business ecosystem will be made accountable in ensuring the highest security standards. With the risk of significant penalties in the event of a data breach, data protection and monitoring is no longer solely the duty of IT departments. Every individual within an organisation will be expected to uphold the values of GDPR.   

All employees – from junior to board level – must be held accountable for reporting any potential data breaches and carrying out the correct protocols to safeguard personal data. But GDPR also makes the selection and management of external parties, such as business partners and vendors, more important than ever before. Any leakage of data across the supply chain will make the data controller liable, posing an even larger challenge across the stack. This will result in greater cross-collaboration and communication between different parties both internally and externally, to ensure security across the board is of the highest standard.    

Accountability is directly tied to awareness and education. 2017 saw several high-profile data breaches, including large established companies like Equifax and Uber. Compliance efforts cannot be limited to internal IT teams or outsourcing partners. Educating and upskilling current staff – the best first line of defence against breaches – will be critical to maintaining a high security posture. While organisations may incur an initial expenditure for training and education, a failure to implement these critical processes will have costlier consequences in the long term. 

Unified privacy framework 

We live in a multinational world, and even small-to-medium sized business are impacted by GDPR through international hiring, use of cloud services, and the storage of data. Without a consistent privacy framework across multiple countries, the ability to support business internationally is put at risk. GDPR does not mean moving all personally identifiable information (PII) back into the EU, but it instead creates a universal set of rules and regulations for all organisations to follow, ensuring that business can use cloud services and data worldwide while conforming to a solid foundation of business security. These policies include the encryption of devices and services, REST-based APIs and Security Assertion Markup Language (SAML) to protect customer data regardless of region.  

While GDPR is indeed a European regulation, its impact extends beyond Europe. Outside of the EU, similar initiatives are being adopted in Australia, and the UK is also adopting its Data Protection Bill, which is designed to bring the UK’s data protection laws in line with the EU’s GDPR following Brexit. If more and more countries adopt similar processes, strong enforcement of data protection policies and controls will better equip organisations to safeguard global customer data and keep data breaches at bay.   

For years, organisations have been collecting data without a true understanding of the impact of data breaches. But GDPR has turned this on its head with a regulation that demands strategic thinking and implementation of policies for all parties involved within the business ecosystem.   

2018 will represent an interesting time as organisations adjust to the new legislative climate. The road towards compliance will be met with a few bumps along the way as organisations grasp what GDPR means for them, and await more guidance from the Article 29 Working Party. A wider adoption of security apps and services, a shift in mindset, and the operation of a universal privacy framework will all be key trends in organisations quest to data compliance. However, these changes will no doubt set the precedent for a stronger, more robust security business infrastructure, simplifying international commerce in the coming years.      

Chris Niggel, Director of Security and Compliance at Okta 

Image Credit: Wright Studio / Shutterstock