Companies of all sizes need to keep their data safe for a number of reasons: competitive advantage; customer retention and satisfaction; legal requirements and audit mandates. In creating GDPR, EU lawmakers took a new step in data security requirements, looking at the security of organisations’ data from another perspective – consumers.
The GDPR was passed into European Union (EU) law to give citizens within the EU better control over when their personal information is collected and how it can be used. The EU has passed consumer data protection laws before, but GDPR – for the first time – includes significant financial penalties if organisations fail to protect that collected data.
With less than a year to become compliant (by April 2018) this regulation affects any organisation that does business within the European Union (EU) and collects Personally Identifiable Information (PII) from EU citizens (regardless of where its headquarters may be located). The law also comes with steep consequences if an organisation is found to be non-compliant: penalties can be up to 4% of a corporation’s global annual revenue or €20 million (whichever is greater).
If an organisation has been diligent in addressing existing regulations including PCI DSS (payment card data) HIPPA (medical records and other personal health information in the US) or SOX (protection from accounting errors and fraudulent practices in the enterprise) or one of the many EU country-specific data protection laws, there may already be a good foundation in place.
However, some organisations may have more to consider with the ramifications of GDPR, especially considering that GDPR supersedes existing regulations, including the European Union Data Protection Directive. Complicating matters is that GDPR is not a one size fits all type of regulation. In fact, it is unique as it increases an organisation’s obligation as the opportunity for risk grows. For example, organisations with greater than 250 employees will need to adhere to more stringent rules than those with fewer than 250 employees.
GDPR also requires material changes to how and where organisations store customer data and more importantly how they grant access to that data to employees, contractors and business partners. Additionally, it mandates that organisations report any data breach involving customer data within 72 hours of that breach occurring. This requires existing security models to evolve from focusing on preventing data breaches at the network layer to detecting and remediating events in real-time.
For many years, enterprises have focused on securing the network perimeter as a means to protecting their applications and data that resides within it. However, with a growing number of data breaches occurring owing to compromised credentials, malicious insider behaviour and the proliferation of sensitive data being saved in unsanctioned locations, organisations are realising that the way to mitigate these risks is to implement tight governance of the identities – employees, contractors, partners, etc. – within their organisation, whilst also controlling the data, applications and systems they are allowed to access. As organisations adopt these stronger governance controls, they will find themselves better positioned to address the GDPR requirements that are forthcoming.