By Carl Leonard
With May 25, 2018 coming up fast – the date when the European Union’s General Data Protection Regulations (GDPR) becomes enforceable – many firms in the U.S. are still not prepared to meet the needs of the regulation.
GDPR requires global organizations that hold the personal data of European Union residents to adhere to new requirements around control, processing and protection.
The new regulations bring about additional legal liability for a business, and the penalties for non-compliance are significant and have far-reaching implications. If the concern of financial penalties does not drive change then the desire to protect the privacy of client and employee personal data surely will.
The impending arrival of the deadline in May is the push that we all need to pay attention to what matters most: your data. That data is the lifeblood of your organization and represents the people in your employ who allow it to thrive as well as the lives of the customers that your business serves. The high-profile breaches of 2017 showed us all how vulnerable this data and your people truly are. If you protect the people and their privacy, you can secure the organization.
It may not feel like there's a lot of time left, but it’s not too late – most organizations will be well on the way to putting in place the processes and security measures that the regulation requires. Now is the perfect opportunity to check that you are on track with progress as you put the last pieces of your strategy in place.
Here are the top tips that you should do prior to May 25:
- Review the relationships with your suppliers and application providers. Many organizations outsource their data processing, so if your suppliers are processing European-citizen data you should challenge their data handling practices. Are they protecting the data that you are asking them to process? How will they notify you if they suffer a breach? Consider that your data may be held within a cloud application. In this age of Shadow IT it is important to also approach your cloud application providers to address unsanctioned cloud apps running in your business.
- Decide whether you need to appoint a Data Protection Officer (DPO). This person will take responsibility for data protection compliance in your organization. The EU data protection authority has some helpful guidance around DPOs.
- Consider how you might take an inventory of your data. You need to know where your data is in order to protect it. Performing an inventory exercise may well identify pockets of data that you didn’t know you had. Forcepoint has built a guide called “The Need To Inventory Personal Data” to identify solutions that will help in this endeavor.
- Evaluate how well you have mapped your data flows. GDPR expects organizations to understand not only where data is stored, but also where data is being used and transmitted. Our helpful “Data Flow Mapping and Control” guide references the regulation text and offers some tips.
- Should the inevitable happen, you need to respond to and recover from the breach within tight time constraints – no later than 72 hours of becoming aware of a data breach involving personal data. This “Detect & Respond to a Data Incident” guide explains how the NIST cybersecurity framework can point you in the right direction.
These reminders are not exhaustive. Your Supervisory Authority will likely have many guides that you can act upon. The IAPP GDPR Quick Guide is a great starting place to get the need-to-know information that impacts your business.
GDPR and regulations prompt organizations to enhance their data control, processing and protection measures. Whether you are in the UK, France, Australia or the United States, you should embrace GDPR not only because you have to – but because you want to.
About Carl Leonard
Carl Leonard is a Principal Security Analyst within Forcepoint’s Security Labs team where he is responsible for enhancing threat protection and threat monitoring technologies, in collaboration with the company’s global Security Labs teams.