2017: GDPR Readiness Takes Priority

Employee round-table discussion
Reading Time: 3 minutes

With 2017 well and truly in full swing, Forsythe have made some predictions for the year that they think are well worth preparing for. Alongside things like The Internet of Things (IoT), Ransomware, Cloud Security and Automated Security, top of their focus list is the upcoming GDPR. Take a look at why they believe “General Data Protection Regulation Readiness Takes Priority“:

The Challenge

The passing of a new European Union (EU) data protection framework — the General Data Protection Regulation, or GDPR — is having a tremendous impact on enterprises that collect data on Europeans. The May 25, 2018 compliance deadline, which from an IT planning and management perspective is right around the corner, has U.S. organizations scrambling. According to PwC, 77 percent of U.S. multinational companies are planning to spend $1 million or more on GDPR readiness this year, and 68 percent are earmarking between $1 million and $10 million.*

Key GDPR Mandates

• Scope: Any company that markets goods or services to EU residents may be viewed as subject to the GDPR, regardless of whether the company is located or uses equipment in the EU.

• Fines: Companies that violate certain provisions, such as the basic processing principles or the rules relating to cross-border data transfers, may face fines amounting to four percent of the company’s annual gross revenue. Two percent fines will apply to other violations, such as failure to meet the breach notification requirement. These fines may not sound significant, but could translate into millions of dollars for large companies that violate the GDPR.

• Right to be Forgotten: A “right to erasure,” also known as the right to be forgotten, gives a data subject the right to order a data controller/organization to erase any of their personal data in certain situations. Data controllers will be required to erase personal data “without undue delay” when the data is no longer necessary in relation to the purposes for which it was gathered or processed in the first place.

• Data Protection Officer: Companies whose “core activities” involve large-scale processing of special categories of data — defined as information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health or sexual orientation — will need to designate a data protection officer. Even if companies do not collect this information from customers, they may collect some of it from employees for human resources purposes and, therefore, may need to meet this requirement.

• Breach Notification: A single data breach notification requirement is applicable across the EU. The rule requires data controllers to notify the appropriate supervisory authority of a personal data breach within 72 hours of learning about it.

What Organizations Can Do

If your organization is invested in Europe and you haven’t started preparing for GDPR, you’re behind. Companies looking to maintain a European presence should assess their overall data protection capabilities to identify gaps and compliance risks. Security program, data protection and compliance assessments can help to evaluate current tools, policies and overall security practices, and adapt them to meet specific requirements.

The development and/or maturation of a data-centric security program is invaluable not only to GDPR readiness, but to all data protection and data privacy efforts. Key aspects of data-centric security that are critical to GDPR readiness are data discovery and data classification. Many organizations don’t even know where their sensitive information is, which makes it extremely difficult to comply with GDPR requirements such as the right to be forgotten.

Data discovery tools provide visibility into the location, volume, context and risk associated with sensitive, unstructured data across the enterprise — both on-premises and in the cloud. Data classification tools can be used to improve the treatment and handling of sensitive data and promote a culture of security that helps to enforce data governance policies and prevent inadvertent disclosure. Classification metadata can be ingested by data loss prevention (DLP), encryption and other security solutions to determine which information is sensitive and how it should be protected.

Reducing the impact of third-party risk is also essential. Organizations need to carefully monitor the GDPR readiness of partners and vendors to ensure that they have met requirements throughout their supply chain. As arduous as the new accountabilities presented by the GDPR may seem, organizations that proactively manage GDPR compliance by advancing their security can increase consumer trust, and are likely to be more resilient going forward.

You can find out how you can get GDPR ready using data classification here, and as Forsythe say, if you deal with data from EU citizens, you’re behind, so don’t delay. The rest of the Forsythe predictions can be found here in the original post.