6 Ways to Strengthen Your GDPR Compliance Efforts
Companies have some mistaken notions about how to comply with the new data protection and privacy regulation – and that could cost them.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltde50fc1811208231/64f0d60dbe8284ff23cbe7a2/Slide1CoverArt.jpg?width=700&auto=webp&quality=80&disable=upscale)
We've now hit the six-month mark with GDPR, and all indications show companies are taking the data protection and privacy regulation seriously. In fact, a study by TrustArc published in the summer found that 74% of those surveyed in the US, UK, and throughout the EU expected to be compliant by the end of 2018 and 93% by the end of 2019.
All good news, but there's always dirt under the rug. Companies are making some serious oversights that could hurt them down the road.
"Keep in mind that the required implementation takes time, money, resources, and energy, but organizations need to realize that the $1 million spent to enact stronger security measures may be necessary to avoid a $10 million fine," says Matt Radolec, head of security architecture and incident response at Varonis.
Another important point: Many companies think that GDPR applies mainly to customer data, but its protections also apply to their own employee data and data about their customers' customers.
"Many think that if they are a B2B company, GDPR is not for them, but that's not the case," says Enza Iannopollo, a senior analyst on Forrester's Security & Risk team.
What other points should your company keep in mind? Read on for six tips on how improve your GDPR program.
Companies tend to overlook the need to authenticate customers when they request to be forgotten, Forrester's Iannopollo says. Remember, before a company can release data, it needs to make sure it's going to the right person. Releasing unauthorized information is the definition of a data breach. As a result, companies have to ensure their authentication and identity and access management (IAM) tools are built into the way they respond to data requests, she says. Varonis' Radolec adds that a lot of organizations spend millions of dollars on incident response and detection, but they need to deploy it through a "GDPR lens."
It's not enough for your company to delete all the data following a customer's request to be forgotten, Forrester's Iannopollo says. Under GDPR, as part of the request the customer also has the right to know with whom the data had been shared. That makes it important to coordinate with your third parties to be sure they have deleted that customer's data, as well.
Some companies have a false sense of security that regulators won't catch up with them, Forrester's Iannopollo says. Well, the truth is that sooner or later your company will get hit with a fine somewhere in the world. Privacy regulations similar to GDPR have passed in Brazil and in the state of California, and they are under consideration in India. Over the next few years, others could follow, so think of GDPR more as a global trend as opposed to a one-off EU regulation. In addition, public advocacy groups such as noyb.eu are keeping regulators and companies on their toes, Varonis' Radolec adds.
Many companies tend to equate being hacked with being breached, Varonis' Radolec says. But with GDPR it's not that simple, and a hack may not always be the way to tell whether data has gotten into the wrong hands. For example, a breach also occurs when an employee shares information accidentally with the wrong people, he says. Companies should identify where they store their GDPR data and ensure that only those with a legitimate business need can access it. Organizations should also monitor for when employees appear to use GDPR information in an abnormal way or when it leaves their network. Instances such as these should be investigated to ensure the data transfers are authorized.
Many companies tend to equate being hacked with being breached, Varonis' Radolec says. But with GDPR it's not that simple, and a hack may not always be the way to tell whether data has gotten into the wrong hands. For example, a breach also occurs when an employee shares information accidentally with the wrong people, he says. Companies should identify where they store their GDPR data and ensure that only those with a legitimate business need can access it. Organizations should also monitor for when employees appear to use GDPR information in an abnormal way or when it leaves their network. Instances such as these should be investigated to ensure the data transfers are authorized.
We've now hit the six-month mark with GDPR, and all indications show companies are taking the data protection and privacy regulation seriously. In fact, a study by TrustArc published in the summer found that 74% of those surveyed in the US, UK, and throughout the EU expected to be compliant by the end of 2018 and 93% by the end of 2019.
All good news, but there's always dirt under the rug. Companies are making some serious oversights that could hurt them down the road.
"Keep in mind that the required implementation takes time, money, resources, and energy, but organizations need to realize that the $1 million spent to enact stronger security measures may be necessary to avoid a $10 million fine," says Matt Radolec, head of security architecture and incident response at Varonis.
Another important point: Many companies think that GDPR applies mainly to customer data, but its protections also apply to their own employee data and data about their customers' customers.
"Many think that if they are a B2B company, GDPR is not for them, but that's not the case," says Enza Iannopollo, a senior analyst on Forrester's Security & Risk team.
What other points should your company keep in mind? Read on for six tips on how improve your GDPR program.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024