GDPR, or General Data Protection Regulation, is months away from implementation. In May 2018, organizations that do business within the European Union will have to follow strict data privacy laws or face millions of dollars in fines, but American companies are woefully unprepared.
According to a Bitdefender study, the risk of being GDPR noncompliant can mean negative publicity, damage to companies' reputations, and also penalties that can total up to 4 percent of a company's global annual revenue. The new requirements include that data be protected adequately, and when breaches do occur organizations must have notification capabilities in place that align with GDPR standards -- but most companies still lack efficient security shields. The majority of those surveyed recognize that they must do a better job at securing endpoints and hybrid and public clouds in order to keep consumer private data safe.
Are you ready for GDPR? Here is a look at what organizations are doing or should be thinking about, as well as specific tips, to be in compliance by the deadline.
Why GDPR Is Happening
The E.U. had what’s known as the data protection directive which was, for the most part, very similar to GDPR, explained Bonnie Page, general counsel at Smarsh. However, the original directive did not include the massive penalties that GDPR includes and there was very little enforcement. That’s all changing under GDPR. “The risk of getting caught is much higher and penalties if caught are steep. Most companies I speak with are undergoing some form of GDPR project planning now to meet the May deadline,” said Page.
Readiness Depends on Your Industry
A McAfee study found that 86 percent of international business professionals believe their organization has either a “good” or “complete understanding” of GDPR. However, it is large companies and those within certain industries that have the best understanding. For example, only 8 percent of those in the health care industry don’t understand what GDPR is, compared to over a quarter of public sector organizations who are caught unaware. Also, those with the highest level of understanding have been preparing for more than 24 months.
Who Should Be Preparing for GDPR?
“Any organization, no matter where they are located or headquartered in the world, who collects or processes personal data about someone living in the European Union needs to comply with the GDPR,” said Kevin Conklin, VP of Product Marketing at Ipswitch. “Even if you do not collect the information, if the data exists or is somehow processed in your information infrastructure (on-premises or in the cloud), you need to comply. Penalties are severe for non-compliance and several high-profile organizations in the U.S. have already been fined for breach of previous EU data regulations.”
How Are Preparations Going?
Organizations are starting to implement security risk assessments to ensure the appropriate design and implementation of controls and risk, explained Rohit Ghai, president of RSA. “An effective risk assessment process accelerates the identification of the linkage between risks and internal controls, reducing compliance gaps and improving risk mitigation strategies, while also giving companies a game plan for improving their cyber posture.”
What's Holding Companies Back?
The top challenge is a lack of understanding of what needs to be done -- and therefore, they’re struck by paralysis and denial. “I’ve asked rooms full of privacy professionals how many of them have read the GDPR, and only a few hands went up,” said Gant Redmon, program director, Cyber Security and Privacy, IBM Resilient. “You can't understand something unless you read it. To overcome this, those leading their organization’s GDPR efforts must start understanding the regulation and taking steps to ensure organizational compliance.”
What Steps Should Be Taken to Be Ready?
Three pillars must be addressed to keep your company out of the unprepared group, said Tim Krause of SHI International. They are:
Data management: To allow for easy search and location of personal data, your organization needs data management solutions that drive information governance.
Security: Data loss prevention products are imperative in helping your business identify where personal data is located and how it is being used. Firewall, endpoint protection, and advanced threat protection products will all help prevent costly breaches of data.
Process: To ensure EU citizens’ data is handled properly, you will need to change or implement new processes. It will definitely involve additional staff training, internal audits, and review of your internal HR procedures.
Wait and See Approach
When HIPAA and other regulations with financial penalties were enacted, many organizations waited to see what kind of fines would be levied for not being in compliance and to see if the regulations were real or just a threat. Nathan Wenzler, chief security strategist at AsTech, thinks this may be the case with GDPR. “I'm expecting to see many companies take this same approach this time around, which could end up being disastrous considering the sizable amount the fines can be for GDPR violations.”
Getting the Right Staff Positions on Board
Who will be handling GDPR for your company? “Executive management will be responsible for ensuring that an organization meets its legal obligations to implement the GDPR’s requirements,” said Steve Durbin, managing director of the Information Security Forum. Durbin advised that a Data Protection Officer (DPO) should be designated to act as a focal point for ongoing data protection activities. “An organization’s governance functions, including information security, legal, records management and audit should ensure they are familiar with the requirements of the GDPR and have the necessary people, processes and technical solutions in place to achieve compliance.”
Learning Your Data
The first major step to complying with GDPR is to understand the data the organization holds, according to Chris Purrington, global sales director at Cohesive Networks and Managing Director of Cohesive Networks UK. Multiple departments will likely hold lists of personal information, such as email lists for marketing, human resources’ personnel files, and so on. Understanding what you must protect is the first step to protecting it. “Specifically, IT teams can ease into GDPR with better monitoring and management. Automating any part of network scanning, log analysis, and compliance tracking can speed up time to compliance.”
The Need for Audits
Hire an outside auditor to review your data and processes, suggested David Ratcliff, managing director of Vendemore. “Bringing in an outside expert now will give you time to fix any issues before time runs out.”
Know Your Vendors
Your company isn’t the only one touching your data, and if one of your vendors has an incident that results in a breach, you are the one in trouble. For that reason, said Greg Hoffer, VP of Engineering with Globalscape, vendors should approach GDPR readiness with a collaborative and comprehensive data management strategy. “Such a strategy should include elements like data mapping to track data where it is, where it’s headed and how it gets there; secure infrastructure that protects data at all points at rest and in motion; tight systems integration in order to minimize the chance for technical glitches or where data may be invisible to IT; process automation that minimizes the opportunity for operator error to put data at risk; and auditing and reporting controls to provide visibility into all of the above, with appropriate alerts when something is out of compliance (or suspected of being out of compliance).”
Using the Right Platform
Utilize a platform that makes finding and removing subscribers’ personal information easy, said EJ McGowan from Campaigner. “The new regulation gives subscribers the right to remove themselves permanently from any company’s database. By having a platform that allows marketers to easily find subscribers, companies can meet subscriber’s wishes and GDPR regulations.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba