CTO Insights: The General Data Protection Regulation (GDPR) Is Coming, What Now?
Based on the incidents we saw in 2016, I recommend that organizations enter 2017 with caution. From the growth of Business Email Compromise (BEC) attacks to cybercriminals using more effective ways to exploit Internet of Things (IoT) devices, these security issues should serve as a reminder for businesses and individuals to be more vigilant. One of the most pressing matters that a lot of organizations need to pay attention to, however, is the forthcoming General Data Protection Regulation (GDPR). The new set of rules is designed to harmonize data protection across all EU member states and bring in a number of key components that will directly impact businesses—even businesses outside Europe.
What should you expect?
Much has been said about the GDPR, but what is the most realistic data protection design for organizations? This might be the one of the questions you need to ask yourself as a business. My answer to that would be only collect what you need to collect. How much personal information do you really need to collect? For example, a customer’s birthday might not be pertinent to your business—so you must get rid of it. If you have an existing collection of data that is not needed to do business, then you need to redesign the database and forget other fields. During the transition period until May 2018, when GDPR will be in effect, organizations have to prepare to be compliant. Here are some of the common compliance issues your company could face:
Penalties and fines – the GDPR maintains that non-compliance or violations could cost companies up to 5% of global turnover, or €100 million, in penalties
Data Breach Notification – the new regulation will require companies to disclose data breaches within 21-72 hours
Right to erasure – to stress my statement earlier, only collect what you need to collect. This means companies have to delete personal data and any related links if they no longer find it accurate or relevant to the business
Right to information and transparency – customers should have the right to opt out and have a very clear understanding of what you do and how you store their personal data.
In Trend Micro’s 2017 Security Predictions, we said that the GDPR is expected to raise administrative costs, but the extent will really depend on what the companies are doing at the moment. Most European companies are already bound by local regulations within the countries, so adapting to the GDPR should not be so difficult because some of them already have even stricter rules. However, in other countries, especially where businesses store customer data for marketing purposes, they will need to do a complete redesign of their database to comply with the GDPR.
Companies should factor in the penalties and fines for non-compliance. In TalkTalk’s case, where it was hit with a record £400,000 fine for not having proper website security, it would have been millions if it was under the GDPR. So companies should be taking their data protection practices more seriously especially with the impending regulation.
Companies in Europe are worried regarding the implementation costs and companies in the US believe that they will pay fines because they cannot comply. I predict that in 2018, companies who do not comply will not only suffer penalties but could risk going to jail as well—which could lead to serious implications on your business’s reputation. Consequently, I expect small law firms to make money by finding customers who can testify against non-compliant businesses and sue them.
Is two years enough to prepare? It should be because companies already know that it is coming, as GDPR was adopted in April 2016 and it has been under discussion in the European Parliament for five years, organizations must already be aware and act on their compliance strategies as early as now. While the GDPR could be burdensome for many companies, it’s not all doom and gloom. It will still ultimately teach companies to apply better security practices on data handling, which will increase customer trust and enhance technological neutrality.
Here’s what you can do to prepare:
Know where your data is stored – just as the Data Protection Act dictates “personal data should be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.” In keeping with the GDPR, this means that you should not hold more information than you need for that purpose.
Use well-established security controls – re-assess security policies and invest in a provider that can offer encryption of data in the cloud, network security, advanced anti-malware, IDS/IPS virtual patching and data loss prevention.
Appoint a Data Protection Officer (DPO) if you are an enterprise – in line with the GDPR requirements, you might have to seek legal advice to determine if your company should hire a DPO or not. If you are an enterprise and not an SMB, you are most likely to need one. A DPO would help the IT department and the board to improve data protection processes and security.
From the looks of it, many companies both in and outside Europe will have a tough time adhering to these new regulations. As such, companies should acknowledge these changes, think fast, and act now!