Today marks exactly one year until the implementation of GDPR – described as the “biggest overhaul of data protection regulation ever undertaken”. Organisations inside the EU and trading with EU nations will need to comply – failure to do so will see them face fines of up to 4% of annual global turnover or EU20 million. Six IT industry experts have come together to give their advice on how businesses can prepare.
Don’t get caught out by fines
“GDPR has been on the radar of European countries for a while now, but we haven’t seen many organisations actively taking steps to become compliant. The legislation – due to come into effect in one year’s time – will force businesses to comply, or face crippling fines if they don’t,” says Nigel Tozer, solutions marketing director EMEA at Commvault. “GDPR is a far reaching regulation and will require considerable forward planning in order to prepare. A key example of this is the need for businesses to employ a ‘breach notification procedure’. In order to satisfy this requirement, businesses must know exactly where their data is – and where it should be – at any given time.”
But breach notification will be difficult for companies that deal with large amounts of unstructured data and a large mobile workforce. “By investing in technology that can identify, index and automatically enact policies for data based on its content, businesses can simultaneously harness the power of their data and prepare for GDPR.”
For Chuck Dubuque, VP Product Marketing at Tintri, businesses must ensure the correct storage of data in order to avoid serious fines. “Organisations that use public cloud platforms will need to understand where their data is being stored, who is accessing it and how it is being protected. One option is to move to an enterprise cloud model, one that can deliver the advantages of public cloud but with the guarantee that an organisation’s data remains within their own walls and under their own jurisdiction. We all want the agility and flexibility of the public platforms, but, as GDPR will demonstrate, we also need the control that on-premises, enterprise cloud can deliver.”
Identify where your data resides
The advice from Eduard Meelhuysen, Head of EMEA at Bitglass is for IT departments to work closely with management to draw up a directory of procedures. “The directory should summarise how customer, personal and company data is collected and handled. Personal data includes details such as an IP address, by means of which a customer can be identified. Similarly, businesses that utilise the cloud must identify all customer data that moves to and from the cloud, and figure out how it’s protected once there. This will be things like content data that’s transferred into email cloud applications, or traffic data that’s moved by certain website analysis tools. This too should be put in the directory.
Meelhuysen admits that identifying what data has and is moving to the cloud is no easy task, but adds “it is important to ensure that all relevant managers are involved in the process and that actions are coordinated between the team. Don’t leave this until the last minute! Drawing up a directory of procedures and attempting to get customer consent on the eve of GDPR won’t work. A solid directory takes time. The in-house data protection officer required under the GDPR should therefore be appointed as soon as possible, and he/she should ideally be in charge of coordinating GDPR-related processes, to ease the burden on busy IT teams.”
Fill gaps in data monitoring
Businesses are required to implement state of the art “technical and organisational measures,” to mitigate the risk to individuals when handling personal data. Nir Polak, CEO of Exabeam, argues that companies should assess their existing insight into network activity and fill any gaps in data access and controls monitoring. “Though attackers continue to refine their methodologies, the GDPR mandates that organisations keep up with evolving threats by implementing suitable technologies. Businesses should aim to plug the gap between prevention and detection by establishing behavioural baselines for all users and assets. In doing so, they can detect and flag any unusual activity and improve their defences.”
Polak believes that businesses haven’t fully considered the monitoring needs of the Data Protection Officer and should do so without delay. “For the DPO, incident response times will be key, so they should look to create a central point of intelligence for forensics and reporting. This will help them both demonstrate compliance with the regulation and also quickly gather forensic details following any incident.”
Don’t leave preparations to the last minute
“This one-year-mark, although getting down to the wire, still offers a useful reminder for organisations that are yet to begin their GDPR compliance journeys,” says Jake Madders, Director and co-founder of Hyve Managed Hosting. “Data protection is about to get a lot tougher and companies targeted by cyber criminals are going to need to be a lot more transparent about the extent and gravity of breaches if attacked. Working with a managed service provider (MSP) who provide a strong security offering means that companies can safeguard themselves from being targeted as well as mitigate the risk of compromised data in the event of an intrusion.”
Paul Mills, Group Sales Director at Six Degrees suggests businesses take a methodical approach to meeting GDPR requirements. “This certainly doesn’t lend itself to a last minute compliance rush or a kneejerk reaction to anything that arises. Failing to prepare for GDPR presents similar vulnerabilities to a half-hearted attempt at cyber security. In both cases, the consequences of a breach or non-compliance can be catastrophic for individuals and businesses alike. But focused preparation, attention to detail and the right guidance are crucial elements when it comes to planning an approach which will work well under pressure.”
Ultimately, businesses need to give GDPR some immediate focus, so they can cross the 2018 ‘short line’ well prepared for an environment where data protection is on a whole new level.
Originally published on GDPR:Report