Organizations are now coming to terms with the fact that complying with the EU GDPR is a necessity for business success. With data privacy recognized as a fundamental human right, GDPR ensures that businesses are putting protections in place to safeguard data, regardless of where it resides. Taking care of the following requirements will help businesses to navigate the regulatory requirements of GDPR:
- Double-check the data trail across networks and within the organization
In other words, perform a risk assessment. Data flows across endpoints into the data center and up to the cloud, but certain risks are introduced when data flows so effortlessly between users and automated systems. Organizations need to be confident that customer records and organizational data is secure whenever or wherever it is being transported or stored. Servers, desktops, laptops, USBs and other removable media devices used by staff often contain highly-sensitive client information. Unfortunately, losing this data could put the employee, client, company or individual at both financial and reputational risk.
- Apply data minimization rules for fulfilling business purpose
“We never throw away data,” said Jeff Bezos of Amazon, simply because one may never know when it would become useful. But times are changing and GDPR is forcing businesses to look towards creating value with a ‘less is more’ approach. It is important that a business analyst defines the parameters of data requirement and collection, because GDPR requires that data storage and use be limited only to what is necessary. The view that bigger is better no longer applies. With Big Data, the Cloud and IoT presenting an exponentially large surface area for hacks, attacks, loss and theft, data hoarding no longer presents a viable business case. Mechanisms to securely erase and limit data not only help to reduce risk, but also cut costs associated with data storage.
- Educate staff on data privacy, security, and risk
Studies have shown that the more educated and engaged employees and clients are, the more successful an organization`s data security efforts become. Education and training is one of the top concerns of the information security industry, and it will be the primary focus of organizations in the next two years. According to a 2016 Data Breach Investigations Report by Verizon, about 63 percent of confirmed data breaches were password related, although other security mistakes by staff remained high. Of course, organizations face an uphill struggle to make their security awareness training programs work. This is because they treat security awareness training programs as an event rather than a continuous program that adapts to the risks that employees face.
- Have a mechanism to allow EU residents exercise their rights
Under the EU GDPR regime, citizens have the right to access data, to rectify or erase data, to restrict data processing, to move their data and to object to data processing. Organizations must have a mechanism in place to respond to and act on these requests without delay. The mechanism should also include processes to ensure that consent is both voluntary and explicit with regard to the scope and consequences of data usage.
- Be prepared to demonstrate your policies, processes and safeguards
Organizations regularly use and reuse multiple data sets, and process a large number of data. They must have in place effective safeguards, controls and oversights to demonstrate the protection of persona data. They also need to have a designated Data Protection Officer on board to monitor compliance and be a single point of contact both within and outside of the organization. The officer, in effect, should oversee measures to safeguard personal data and minimize data collection, processing, and storage. It would also be prudent to have a regular review of the data handling mechanism by a governing group consisting of IT, security, business managers, legal, HR, and some key executives. Regular reviews will help in identifying emerging gaps or predicting pitfalls in the process.
- Set up an emergency response and notification mechanism
The upper time limit for notifying a breach is 72 hours. Depending on the severity of the breach, you may have to notify all affected individuals and concerned authorities. Remember, 72 hours is not a long time; therefore, it is critical for enterprises to have their systems and processes aligned, and have safeguards in place to mitigate damages, including encryption. GDPR’s severe penalty for a breach due to noncompliance is widely talked about. However, by having in place a robust encryption system; organizations can save themselves from much of the post-breach compliance regulation.
Remember, choosing the right data protection technology is an important consideration. Organizations need to have effective data security stacks that include deception technologies, reach detection solutions and robust encryption and key management tools to protect data wherever it resides, whether it be on endpoints, across the datacentre or in the cloud. They should also apply techniques like anonymization and pseudonymization to minimize the amount of data that can be accessed.
By: Rahul Kumar, Country Manager, WinMagic