On May 25, the European Union’s General Data Protection Regulation (GDPR) goes into effect. The transformative new law is expected to have a profound impact on how businesses the world over collect, manage, and defend their data. But while companies have had more than two years to prepare for the ground-breaking legislation – passed in late 2015 – many organizations that will be impacted most by the new rules are still blind to some of the basics.
For starters, despite being drafted and enforced by the European Commission, the GDPR represents the first global mandate on data protection. That's because in the age of big data and widespread connectivity, almost every business today is global in scope and data-driven to some extent. Consequently, there are few companies that won’t need to adjust their policies over the next few months.
Better Late than Never
Where to begin? Bearing in mind that almost all businesses will be touched by the legislation, security teams the world over can start with this three-pronged approach:
Step 1: Assess and audit your data posture
Incremental changes to an existing operational structure can be costlier than reevaluating your approach to data collection and storage from the top-down. Businesses should know where and how they are storing data, if it is encrypted, and if the encryption keys are stored appropriately. Businesses should do this now while they still have time rather than making “knee-jerk” changes once GDPR is active.
If your company isn't already implementing audit trails to keep track of where the larger business stands on compliance, this should be your first step. Audit trails assure that no one is resting on their laurels by giving teams necessary “checks-and-balances” in the lead up to the May deadline. These records can be used to hold individuals across the organization accountable, and to assure that they are meeting deadlines by creating a paper trail of activity. IT can reference these trails incrementally in the weeks leading up to the GDPR deadline to get a pulse-check on the overall status of the transition.
Step 2: Re-evaluate systems and technology
Many existing information security systems will need to be restructured or reconsidered to comply with the new GDPR standard. Organizations that rely solely on next-generation firewalls, for instance, won’t be putting enough protections around user data to adequately block theft on the way out. Even proprietary encryption techniques designed by an organization’s IT team may not be as robust as the latest industry standards once compliance becomes an issue. Businesses should look to source technologies built for modern distributed mobile environments, where data can be stored and accessed in a multitude of ways. Solutions that find, encrypt and/or anonymize PII data could become crucial for limiting GDPR fines after a data breach.
Reporting and monitoring of traffic and the exchange of data should also be automated and easy-to-access – not to mention easy-to-use – since staff at various levels of the corporate totem pole with varied technical expertise will be accessing this information to assure GDPR.
Step 3: Align business goals across the organization
Data collection and storage policies need to be transparent across the business to assure that proper checks and balances are in place. Historically, this knowledge only tends to fall on IT and security administrators, but given the high-stakes of noncompliance with GDPR, the burden needs to fall on all employees across the organization. GDPR gives businesses the opportunity to replace legacy processes that had presented communication challenges in the past. Since adhering to GDPR requires buy-in across the organization, issues that were once relegated to dark corners of the company should be top-of-mind throughout.
Hopefully, bearing these approaches in mind and viewing GDPR as an opportunity – not a burden – will set organizations for success as the May 25th deadline for compliance approaches.