Data regulations, and the increased sensitivity around data capture, storage and security are not a new concept but there are nuances of how this is handled and executed across the world. With the General Data Protection Regulation (GDPR) just around the corner, we will soon see the enforcement of a harmonised set of data protection requirements throughout Europe, created to strengthen data protection for individuals residing in and around the European Union (EU).
With a matter of weeks until the GDPR falls into place, many organizations may still be wondering how to best use this time to achieve compliance. According to one recent PricewaterhouseCoopers survey, 89% of organisations affected by the impending regulations are still unprepared for the upcoming changes. One of the largest challenges facing businesses is how best to implement the appropriate behaviours and standards required.
How can you ensure your organisation’s practices and policies will meet the required regulations?
GDPR will act as a shining spotlight on your organisation’s approach to data and to security
GDPR will place strict requirements on the way a business handles the personal data of EU residents – whether this is in the form of marketing records, purchase information or preferences data. For companies that collect personally identifiable data, a full review of organisational and technical processes around data will be required, with the appropriate adjustments then made to avoid financial penalties.
The ICO has provided basic guidelines on how best to secure your systems based on the level of risk you face and how much sensitive data you hold. The less segmented your information storage, or the more personal the data is that you are collecting, the more stringent and complex requirements you have to meet.
Regulations are vague at this stage, but the headline is clear – if you do not have awareness of where your data is, how it is organised or whether it is segmented clearly, how can you ensure the safety of your data contents?
A full end-to-end assessment of what data you have across the board and from where, (and that you have the appropriate controls in place) is key, but this is often a complex task requiring research of both internal and external data capture.
Here are our recommendations for promoting and ensuring an end-to-end mentality in GDPR compliance:
1. Protect your systems from unauthorised access
Your business cannot expect to comply with GDPR without full visibility of your IT assets and what you are using to process, transmit, analyse and store data. In addition, all the technologies involved in digital transformation— such as cloud computing, mobility and IoT — have blurred traditional network perimeters. This can make IT environments hybrid, distributed and decentralised, difficult to locate, let alone protect.
However, complete visibility of your IT environment with a full and detailed inventory is key. The assets that you do not know about are the ones that pose the highest risk.
With full visibility of your IT and networks, you can prioritise your efforts to secure these systems against data breaches. This can ensure you have the appropriate security and compliance controls in place. A cloud-based IT asset inventory system that automates collection and categorisation of data can enable you to gain full visibility of your IT assets in one place, allowing you to monitor and protect customer data accordingly.
System protection is not just about IT controls and procedures but also people. For GDPR, this means making sure your teams go through security and privacy awareness training to understand fully their responsibilities in this regulation. This should ensure everyone is aware of what can and what can’t be done around GDPR, and your business must demonstrate that a continual awareness programme to this effect will remain in place. In addition, having ways to record if or when data is accessed is key – data can be vulnerable to hackers and malicious attacks, but it can equally be open to internal abuse and misuse too.
2. Assess your third parties
A full vendor risk assessment should be undertaken ahead of the GDPR deadline to not only ensure you are aware of who is handling your data, but how your third-party suppliers will choose to store the data (if appropriate) and more importantly how they will manage the impact of a data breach. Your business will only be as GDPR compliant as any other companies you work with that handle your data.
For example, if your third-party is late informing you of a data breach, you won’t be able to provide your notification onwards to the end-user or regulatory board in time, making your company liable and prone to a penalty.
Once you have undertaken your assessment, you must also make time to undertake further and regular checks against your vendors and third-party suppliers. This will ensure you have full visibility of any changes to your supplier network but also to determine whether your technical controls for the protection of data are being adhered to as you move into the future. Should any failing arise, these can be addressed quickly.
This can be a manual, intensive exercise, using emails and spreadsheets which can be slow, imprecise and labour intensive, straining IT teams. A cloud-based solution, built for scale and ease of access, will both allow you to build a custom questionnaire that meets your needs but also captures vendor assessment information in one place. In short, you must demonstrate due diligence and assess your third parties’ GDPR compliance levels as well as your own, today as well as into the future.
3. Test your Incident response
Under GDPR, all companies must report any instance of a data breach within 72 hours of discovery. Test your incident response and data breach plans to make sure you can identify a breach quickly. Having the appropriate detection tools in place can mean the difference between a large-scale attack and preventing one.
Threat hunting relies on a thorough knowledge and visibility of your organisation’s IT environment. Traditional approaches for detecting breach activity, including signature detection, can often allow both known and unknown variants of malware to go undiscovered and unmitigated for months, and are blind to non-malware attacks, leading to costly and damaging breaches. With a single view of vulnerabilities across the network, you can act and prioritise each threat accordingly, locating any issues and remediating accordingly.
Under GDPR you are responsible for checking that any third party is following your data practices. You must also have the appropriate channels in place to communicate the right information to your data owners and security officers where appropriate and be able to implement your breach notification requirements as soon as possible.
4. Ensure you remain compliant
Companies have to take into account the size of their EU presence, the type of data they collect and the scope of their business operations; depending on these factors, reaching full compliance can take a few months or several years so a forward-facing attitude is key, particularly with GDPR only a matter of weeks away.
For any new applications, it is important to build a security and privacy mindset into these immediately. Ask yourself about the data you will collect in the future, the risks associated and how best to implement the technical and security controls in place to prevent accidents. For existing applications, there is still time to bring these up to speed. Ongoing assessments are key to remain compliant as well as a thorough understanding of what you own and where.
Some of the guidance around GDPR requirements is vague. In general, this should encourage you to implement due diligence and promote future security by design by building these steps into your overall approach to data. For existing applications, you still have time to bring these up to speed and to add additional controls to meet the GDPR compliance requirements. However, the outstanding message is clear – GDPR is very close, and if you don’t comply you risk facing financial and operational consequences.
Darron Gibbard, Managing Director, EMEA North at Qualys
Image Credit: Docstockmedia / Shutterstock