Now that the GDPR (General Data Protection Regulation) has been passed, EU residents will soon have a consistent level of protection and a better say in how their data is handled by private organisations. But what do those organisations need to change in order to be compliant?
GDPR defines minimum standards for handling, securing and sharing personal data of EU inhabitants and it comes into effect on May 25th 2018. With less than two years left to comply, and considering the magnitude of people, process, and technology changes that need to occur, forward-thinking businesses have started building towards becoming compliant already.
Not even Brexit can stop GDPR from changing how data is controlled and secured by UK organisations. That’s because the GDPR concerns the personal data of EU citizens rather than drawing its boundaries on where your organisation is located. Its ‘extra-territoriality’ clause means that selling or marketing to just 5,000 people in the EU means you have to abide by its rules. In any case, the UK has yet to invoke its two-year Brexit process, so all EU regulations continue to apply.
What changes will GDPR bring?
GDPR will harmonise data protection regulations across the EU, superseding existing national data protection laws that each member country has in place. Although the standards will be far more stringent for most EU countries, and require organisations to implement many new data protection measures, this consistency could make doing business simpler.
Currently there are 28 different data protection schemes for businesses to understand. GDPR will drastically simplify this, while still allowing each EU country to establish local laws in addition to the EU legislation.
Key among the new rules are the “right to be forgotten,” mandatory data breach notifications, mandatory Data Protection Officers (DPO), demonstrable use of processes and technology to protect data, and fines of up to 4 per cent of global annual turnover, or €20 million, for serious violations.
According to Ovum, 70 per cent of businesses expect to increase spending to address data protection and sovereignty. A major driver for this is that failure to do so after the two-year transition period will mean businesses face significant consequences, including regular data protection audits.
What should businesses do to be compliant?
To comply, organisations need to deploy ‘state-of-the-art’ technological and organisational procedures. Organisations should seek to build flexible architectures able to incorporate new technologies as the definition of ‘state-of-the-art’ evolves over time.
Technologies like encryption are expected to be among those required to protect sensitive data, further increasing the rapid growth of encrypted network and internet traffic. However, companies should be vigilant against cyber criminals who hide their attacks inside seemingly benign encrypted traffic.
Unfortunately, most enterprise security tools are unable to scan encrypted data for malware or for signs of an encrypted attack or data exfiltration, making encryption a simple and effective tool for evading security controls. The solution lies in creating an encryption policy which sufficiently balances data privacy and a resilient security posture. Encrypted traffic management (ETM) technology is available to enable organisations to decrypt selected types of encrypted traffic and securely forward the content for processing by security controls before re-encrypting and sending it to its destination.
Another potential issue relates to data breach notifications. GDPR asks organisations that suffer data breaches to notify the EU Supervisory Authority within 72 hours. Organisations should evaluate their current incident response capabilities without delay, to ensure they can quickly determine a complete picture of what happened, and how.
This isn’t as straightforward as it sounds. According to research by Ponemon Institute, the average malicious data breach can take over 250 days to detect and a further 80 days to resolve. Such delays are exacerbated when incident response teams have to manually sift through large, disparate data-sets to identify what happened, who it affected and how to fix it.
Automated intelligence is important to improving organisations’ ability to notify stakeholders in the event of a data breach and demonstrate to authorities that they have taken sufficient measures towards its detection and resolution. Solutions like Security Information Event Management (SIEM) and Network Forensics solutions enable businesses to automatically capture all network data in a single location, identify how they were breached, which resources the data breach impacted and what data was lost.
Control of data in the cloud
For many organisations, the cloud will be seen as an especially glaring gap in their data protection strategies. As dependency on cloud applications grows, enterprises face a growing number of issues regarding data privacy, compliance and security. With cloud, user data is more exposed compared to when it was solely confined to local systems, increasing the risk for potential GDPR violations in the event of a data breach.
The upshot is that few organisations have full visibility and control over their data, purely by virtue of the fact that they don’t own the infrastructure that the applications run on. That’s both the beauty and the horror of cloud apps.
Cloud Access Security Broker (CASB) technologies aim to alleviate these data protection and data residency issues. CASB provides visibility over cloud application usage and the data going to these applications, as well as providing the means to control who can use such apps, see certain types of data and what apps can exchange private data.
One technology that will help organisations with data residency is tokenisation, which allows organisations to safely use cloud applications by substituting private data with secure ‘tokens’ as traffic leaves the corporate network and moves across the Internet to the cloud application servers. In this manner, private data never leaves the corporate location, thus making it possible to comply with residency requirements and maintain compliance with the GDPR’s requirement that user data is sufficiently protected in the event that a data breach occurs, as well as the data residency requirements in the Safe Harbour Agreement and Privacy Shield.
With the EU GDPR set to come into play in 2018, don’t delay in raising the awareness of the importance of data protection and the consequences of not being compliant.
Whether or not GDPR is your catalyst for better data governance, it’s high-time that more leading organisations grasped the challenge of securing their data in a rapidly evolving cloud world.
Robert Arandjelovic, Director of Blue Coat Security Strategy at Symantec
Image source: Shutterstock/Wright Studio