Halloween may be over, but fears surrounding the GDPR continue to lurk in the shadows.
To quote British mathematician Clive Humby, “data is the new oil” – but the days of regarding data as a universally beneficial business asset may come to an end on May 25th 2018.
In just seven months’ time, the EU’s General Data Protection Regulation (GDPR) will come into force. Under the GDPR, businesses must pay far closer attention to the data they’re collecting, where it’s stored and how it’s secured. SecureData have chosen this as one of the main issues at this year’s UK CyberSecurity Summit.
Today, businesses are used to capitalising on data. From identifying new market opportunities, to enhancing the customer experience, data has become a driving force behind much corporate innovation. However, the inherent value of data has also created an information ‘gold rush’, with organisations gathering and storing as much as possible.
As a result, information pertaining to customers, partners and employees is often filed away and forgotten. Under the GDPR, as Trend Micro’s Rik Ferguson has said, “organisations will finally start to think about what data they are collecting, for which purposes and how long they storing it for, instead of the old default of ‘grab as much as you can, it may come in handy in future’”.
The end of file and forget
Once the GDPR comes into force, poorly organised data siloes could become a toxic business liability. Certainly, the GDPR’s record-breaking and far reaching fines are well documented. While no one knows precisely how the Information Commissioner’s Office will apply these penalties, the fines do firmly underline the need for robust data protection ‘by design’. However, that’s not the end of the data story.
The GDPR shifts the ownership of personal data back to individuals, as well as extending the definition of what constitutes personally identifiable information. If a corporation holds such information on an EU citizen, that individual retains control over it. While organisations still require consent to store and use personal data, individuals can revoke this permission at any time; they have ‘the right to be forgotten’. As a result, organisations must be able to locate, access and remove personal information upon request – and without ‘undue delay’.
This is no small challenge. A decade of digital transformation has shattered the traditional on-premise data centre, spreading information across multiple cloud platforms, connected devices and more. To quote one of the four big UK banks anonymously, “we know where all our data is, unfortunately we have no idea what it is”. With the GDPR just seven months away, this is not an uncommon story for businesses across Europe and around the world. Most organisations now have an average of 10GB of unstructured data per employee, almost a tenth of which is personally identifiable information.
Alongside these challenges, businesses will also need to demonstrate that robust, accountable controls are in place to grant access to personally identifiable information. Data controllers will be expected to carefully vet data processors, while processors themselves will be equally liable for breaches. Documenting these data protection procedures and breach investigations will be essential too: businesses will need to produce this evidence if a complaint is made.
The opportunity in adversity
While better securing personal data is a challenge, it’s also not enough; businesses must harness the potential of data to deliver unquestionable value to customers, partners and employees. Ultimately, this should create mutual benefits: as organisations derive greater value from data – for instance, by offering tailored products or services – customers will be willing to share more information that helps further streamline the business and boost the bottom-line.
In the post-GDPR world, the ability to orchestrate and control data effectively will become a real competitive advantage. Organisations can use today’s compliance challenge as an opportunity to harness the power of data more effectively, for instance through agile and accessible data loss prevention and classification solutions.
The GDPR isn’t simply a motivation for businesses to improve security; it’s a motivation for security that improves businesses. With that in mind, here are our top five recommendations for how every organisation should prepare in the run up to the GDPR. All of these areas will be covered in detail at our UK Cybersecurity Summit on the 8th November:
1. Start consultancy and planning: Determine whether your organisation is ‘adequately protected’ given the data it manages, holds and processes. You need to undergo a data discovery process to understand your exposure to personally identifiable information and estimate your level of risk. This should also include an assessment of the controls and processes surrounding any unstructured data and how they can be improved, in conjunction with a partner like Varonis.
2. Undergo a security assessment: To comply with GDPR, your organisation must understand what data it holds, where it is and whether it’s effectively protected. With a formal and systematic assessment of your entire security posture, we can identify and seal any gaps.
3. Implement point protection: We can help you implement and manage security defences to keep data better defended – from next generation firewalls and intrusion detection systems, to sophisticated data loss prevention solutions.
4. Enable advanced threat detection: To protect your sensitive data in real-time you need the ability to detect anomalous behaviour, zero-day threats and other risks missed by traditional security solutions.
5. Develop a mature incident response: The GDPR makes it essential to have a comprehensive incident response strategy. We can ensure you have the people, procedures and systems in place to react swiftly to a security breach, building-in contingency plans critical systems.