The General Data Protection Regulation (GDPR) comes into law from 25 May 2018. Its aims are broad: to make the digital marketplace a more secure place for consumers - with new safeguards to ensure the safety and integrity of personal data.
It also means new responsibilities for businesses. Short-term, the priority should be on ensuring your data processing and security framework is aligned to the requirements set out in the legislation. Longer-term, remember that GDPR readiness isn’t a one off tickbox exercise: from regular stress testing through to careful choice of products and service partners, compliance should be a top priority.
At-a-glance: the big changes ushered in by GDPR
- Privacy by design. Whether you are launching a new customer portal - or simply tinkering with your dispatch process, customer data privacy needs to be hardwired into your business processes.
- The right to be forgotten and data portability. This may involve updating your internal procedures so customers are able to readily access their rights, including the right to data erasure.
- The requirement on the part of certain organisations to appoint a data protection officer (DPO).
- A new reporting requirement. For the first time, GDPR ushers in a Europe-wide reporting regime for security breaches. Broadly, organisations will be required to report cyber security incidents involving the compromise or loss of personal data to the relevant regulatory authority (i.e. The ICO (Information Commissioner’s Office) in the UK) within 72 hours of becoming aware of the incident.
- A new fine regime. For the most severe breaches, the upper limit is the equivalent of 4% of the offending organisation’s worldwide turnover. For failing to implement “appropriate” technical and organisational protective measures - and for reporting breaches, there’s a maximum fine of EUR 10 million or 2% of turnover.
The ICO’s 12-step guide, Preparing for GDPR is a natural starting point for any organisation about to embark on GDPR readiness.
Staying on the right side of the regulator
The new fine regime with its harsh upper limits should be enough in itself to focus the mind of any CEO on compliance. That said, some perspective is useful: it’s worth remembering that a security breach will not in itself lead to a fine. Rather, GDPR is concerned with the circumstances of that breach - and your response to it. The stronger your story, and the more robust your systems, the less chance there is of ever facing sanctions.
So let’s say you spot a breach and report it to the ICO. What happens next will depend largely on your answers to the following questions:
- Did you have “state of the art” detection and response in place as part of your strategy? Were these “appropriate” to the particular data risks your organisation is faced with?
- Does your infrastructure undergo regular and appropriate stress testing?
- Were you able to identify, report and rectify the breach in a timely manner?
As GDPR approaches, businesses need to look carefully at their infrastructure and how it is supported. The focus should be on how effectively it enables you to answer those key questions.
Security and visibility
If ‘Visibility’ isn’t so far part of your security lexicon, then it should be. If you cannot monitor and react to what is happening across your IT estate, you are likely to be faced with multiple pitfalls; from an inability to identify breaches in the first place - right through to your ability to furnish the ICO with forensic records if they need to complete an audit or investigation.
So you’d be right to prioritise security in preparation for GDPR - but don’t neglect information management and your reporting capabilities.