Reinforcing cybersecurity for GDPR compliance requires regular monitoring and assessment of the processes, control methodologies and mitigation strategies implemented for managing information security risks. The threats are constantly intensifying as determined bad actors continue leveraging innovative strategies to penetrate stagnant defenses put in place. To complicate things even more, companies continue to increase vulnerabilities with the introduction of new technologies to IT infrastructure for enhancing business performance.
The EU’s General Data Protection Regulation (GDPR) that went into effect on 25 May 2018 brings into force a new level of regulatory requirements in the field of personal information security. GDPR, by its nature, is potentially a threat to your organization, because it places stringent restrictions on the handling of EU consumer data. Regardless of geographical location of the companies processing EU consumer data, the companies need to handle the data in a very specific manner and bears the responsibility of notifying the information commissioner’s office within 72 hours of discovering a data breach.
Organizations failing to comply possibly face potentially business-threatening financial consequences of as high as 4 percent of global revenue or 20 million euros. Designed to harmonize data privacy and data protection across Europe, GDPR represents unforeseen challenges to organizations such as attackers threatening businesses with non-compliance report to authorities and creating opportunities for competition for engaging criminals to hack rival business to frame for non-compliance.
The GDPR requirements warrant a sea-change to the way operations support the data privacy regulation. More than one year after it took effect on May 25, 2018, businesses are experiencing increasing difficulties in meeting the requirements for efficient levels of data security policies and processes, as well as filling the roles with employees that have adequate capabilities and experience.
According to the GDPR Small Business Survey of 716 small business leaders, a majority of medium and small businesses are still not in compliance with the GDPR.
The research by cloud data integration solutions provider reveals some 70% of businesses worldwide failed to address requests made from individuals seeking to obtain a copy of their personal data as required by GDPR within the one-month time limit set out in the regulations. The findings are based on personal data requests made to 103 companies based or operating in Europe across industries.
“GDPR requires insight into company data and its governance,” said Penny Jones, Research Director at 451 Research. “Recent research, including that done by Talend and separate reports by 451 Research, has found that while many organizations understand the importance of GDPR, many are still not taking their data seriously in terms of the technologies and processes they have in place. As a result, many businesses are falling short of their GDPR obligations. They can lack the proper methods for storing, organizing or retrieving data in line with the regulation’s requirements.”
There’s no doubt GDPR has brought out a new era in consumer information management regime in which only those with robust preparations and efficient executions skill will stand tall. For all others, initiating and religiously implementing a few steps will help.
Retain control and understand the regulations: Reinforcing your cybersecurity framework will require retaining control on the existing cybersecurity situation of your organization. The necessity of introducing the new regulations doesn’t mean your existing processes have become obsolete and they need to be overthrown. Focus on thorough understanding the key requirements first, such as seeking consumer consent before gathering their information, implementing data security measures, notifying authorities and concerned users in the case of data breaches.
Review and refine existing policies and processes: Reviewing your existing policies against a backdrop of the GDPR data management policy requirements will help you acquire a new perspective which in turn will help you refine the processes in accordance with the regulation.
Encryption-led infrastructure protection and beyond: Focus on securing all devices and endpoints as criminals are on constant lookout for exploiting weakness, even a momentary lapse. Therefore, implement robust practices towards eliminating vulnerabilities as much as possible such as having a layered data security strategy in which devices have more than one line of defense in place. GDPR is big on encryption. Encryption of all data should be the centerpiece of your data security strategy. But you cannot leave everything to encryption. Focus on the human side of technology use and ensure adequate employee training on secure practices.
Establish key roles: GDPR calls for creating new roles within the organization who will be responsible for data security. A data controller will define what personally identifiable information (PII) the entity processes, and the purpose behind processing the data. A data processor will oversee the processing of the data. And the data protection officer (DPO) is responsible for educating and building a risk-aware culture within the organization serving as the main point of contact for authorities.
All these point towards the necessity of a comprehensive strategy encompassing both GDPR regulatory compliance and robust cybersecurity practices and policies. Efficient implementation of such a strategy will allow businesses reinforce their security framework to face the innovative new-generation threats and enable them to sustain in the GDPR era.