This week on our blog, we have a guest post from Rob Bickmore, Principal Security Consultant at NTT Security.
NTT Security is taking part in Cyber Security Month and, in this blog post, I’ll be exploring the campaign’s theme ‘Governance, Privacy & Data Protection’ and in particular the General Data Protection Regulation (GDPR), which will come into effect on 25th May 2018, imposing stricter privacy and security rules.
The countdown to compliance has begun, but do you know if and how the GDPR will affect you?
The GDPR is the EU’s new set of data protection rules, and it applies to any business holding personally identifiable information or sensitive data on EU citizens. It is the most far-reaching set of regulations yet, giving individuals unprecedented rights over their data and how organisations process it.
Under the GDPR, people may demand that copies of information held about them be transferred to third party organisations in a commonly used, machine-readable format. They may complain about how organisations are using their information, impose restrictions on its use, and even request its deletion.
In dealing with customers, businesses face rigorous new requirements if their basis for processing relies upon the data subject’s consent, and must also follow data breach notification rules. Those not sticking to the GDPR’s requirements face fines of up to €20 million or 4% of global annual turnover.
As a regulation rather than a directive, the GDPR doesn’t need to be enacted in national law, but member states are doing it anyway. The UK is drafting a bill to replace the existing Data Protection Act and bring its law in line with the GDPR principles, in advance of its predicted exit from the EU. This would help the UK maintain a legal framework in line with Europe’s, making it easier to exchange data between UK organisations and those inside the EU. Germany has also signed its new GDPR-friendly Federal Data Protection Act into law.
Unfortunately, NTT Security’s 2017 Risk:Value report shows that many companies are not ready for the GDPR. We interviewed 1,350 businesses across the globe to understand their approach to cybersecurity. Across the board, awareness was low. In the US, just a quarter of businesses understood the GDPR would affect them. Things were not much better in the Asia-Pacific region, where 26% of businesses in Australia were aware, 29% in Hong Kong, and just a third of respondents in Singapore.
UK businesses were among the least prepared for the GDPR in Europe. Only 39% of them acknowledged the new regulations as a compliance issue.
What’s clear is that businesses need to find out what the GDPR means for them, and what their priorities should be. There is no grace period for the GDPR.
Are you ready? Here are some tips on how to prepare:
- Begin with the right mindset – the GDPR is driving accountability rather than compliance. It is not enough to see what you can get away with from a legal compliance perspective. Engage the right people to drive your project, creating a cross-disciplinary team that will follow the spirit of the GDPR rules rather than adopting a ‘least effort’ approach.
- Know your data – Begin by understanding the data (particularly big data) you’re accountable for, and what you use it for. Understand its effect on privacy. Ask yourself how your data is stored, and whether that storage is secure enough for its level of sensitivity. Create a clear picture of the data’s storage location and who has access to it. This will be crucial when satisfying customer requests to reproduce, amend or remove the information you hold about them.
- Put data protection in your DNA – The GDPR mandates that organisations apply the principle of data protection by design and by default, meaning they must design and maintain their systems and processes to protect data, rather than adding those protections in as an afterthought. The Regulation suggests several techniques to support the protection of data by default. These include encrypting data to avoid unauthorised people from accessing it.
- Review third-party contracts – Anyone processing your data, from a cloud service provider to a contact call centre company, must meet a maturity level that you deem appropriate when it comes to GDPR’s security principles. These include data protection by design and default, and implementation of technical or organisational measures for data integrity and confidentiality. You must ensure their protection mechanisms align with your requirements.
- Prepare your incident response – The new regulation imposes data breach notification rules on organisations, many of which will not have experienced them before. Data controllers must report all breaches to regulators within 72 hours of becoming aware. If the breaches are severe enough, they must notify customers too. The same applies to third party processors, who must report breaches to you, the data controller, without undue delay.
With time running out, companies must not leave their preparations to the last minute. In many cases, companies will lack the skills to handle this internally and will need expert third party support. Contact NTT Security for help and begin working to get ahead of the curve.