No? If so, you’re not alone.
The European Union’s new General Data Protection Regulation (GDPR) will come into force on 25 May 2018. GDPR requires organisations to put in place an appropriate governance framework when they collect and process personal data and empowers individuals (data subjects) to take control of their data.
So to keep it simple, this new regulation does change everything for businesses. At its heart is the idea that privacy is a fundamental right. To meet that principle, organisations large and small must radically change the way they manage their own data and their customers’ data by implementing data protection by design and default.
Under the GDPR, any breach where companies have failed to adopt reasonable security measures, and failure to report data breaches within 72 hours of discovery, can result in fines of up to €20 million or 4% of global annual turnover, whichever is greater. This will depend upon the type of breach and impact to the privacy of the data subject and their information.
Upon reading the recent ENISA 2016 threat report, it is clear that organisations’ attack surface area keeps growing and growing. Employees carrying their devices everywhere due to increasing uptake of BYOD and home-working have continued to expand the security perimeter so that organisations’ physical borders have become a honey pot for cyber criminals.
I remember a recent conversation where a customer was reassuring himself by saying “Who would launch a DDoS attack against us?” That customer ended up falling victim anyway, even without being openly attacked. Today, it no longer matters if you’re directly targeted or not; you can easily experience collateral damage from someone else under attack.
So my question for you is how can you be sure your organisation is creating the right security framework to help safeguard against a breach?
Here I propose a list of 8 recommendations and steps you should consider taking to strengthen data governance and be GDPR compliant in 2018 and beyond:
- Initiate/update your governance framework with board awareness, management statement, risk register and accountability.
- Understand EU-GDPR and how to comply: launch a data inventory to understand where your data is, how it flows across your organisation, how personal and confidential it is, how to protect it and who the controllers and processors of it are.
- Appoint (or nominate) and train a data protection officer
- Launch a technical and compliance gap analysis: initiate a cyber threat assessment to assess your real threat exposure. Limit potential damage by strengthening protection to control what and who needs to be notified.
- Remediate, strengthen weak links in the data chain and monitor: enforce your network security with policies, automated security architecture and threat detection services to streamline risk detection and mitigation - for any point in the supply chain where access to data is needed. Working with managed security service providers (MSSPs) or security operations center service providers is a silver bullet solution you might want to consider if you are working under a tight budget and lack of skilled security professionals
- Implement a data breach response process: this is a key process for you to implement between your business and your MSSP, for instance.
- Implement a privacy compliance framework: such as ISO27001 or CyberEssentials+ across your business, or more importantly, covering and surrounding the data flow audit results.
- Audit and continually improve: regularly launch vulnerability scans and penetration tests to make sure your estate is correctly maintained and up-to-date (patch management), and run regular risk assessments across your defined scope.