Many American firms may not think of themselves as doing business in Europe, but every company with an online presence is potentially affected by the European Union’s General Data Protection Regulation (GDPR) and its 99 articles. GDPR will be enforced in very short time — May 25, to be exact — and U.S. companies need to prepare fast. Failure to comply could cost a firm 20 million euros (~$25 million) or up to 4% of its annual revenue. But preparation is not cheap. A PwC survey found that more than 60% of all companies planned to spend more than $1 million in their efforts to meet the regulation.
So, what constitutes private data? How do you know if you have it? How do you even know where it is?
The gist of GDPR involves providing a reasonable level of protection for data subjects’ personally identifiable information (PII), ranging from names and social security numbers to sexual orientation and political leanings to website cookies and IP addresses. EU citizens have “the right to be forgotten” and users can request that their personal data be deleted at any time. Most importantly, in the event of a breach, companies have 72 hours to notify authorities as well as those whose private information has been exposed. Even if it’s its third-party cloud provider that was hacked, a company is just as liable. What’s more, every organization needs to designate its own data protection officer (DPO) to oversee the compliance effort.
What exactly determines a “reasonable” level of protection remains to be seen. Plus, there are areas concerning retention and deletion of data that conflict with current industry regulations, increasing the likelihood of more rulings and definitions ahead. Still, according to one survey, 58% of participating American firms expect to be fined for GDPR violations. A Forrester Research survey shows EU firms are actually the most pessimistic about their compliance efforts, but fewer than 30% of all companies consider themselves fully compliant today. With so many firms admittedly unprepared, compliance requirements and their enforcement may be, at times, a work in progress.
While the industry sorts out the details on what GDPR compliance is and is not, there are actions every company can take to ensure they don’t become the poster child for GDPR noncompliance. Many of these actions are common cybersecurity best practices although, like dieting and exercise, it’s not always easy to remain disciplined and stick to a healthy regimen. But done right, it’s an opportunity to boost consumer confidence and increase operational efficiencies around how your organization protects and manages data.
Companies that can affirmatively answer the following questions will not only address GDPR compliance issues but will also greatly enhance their current security and privacy posture:
Do you know what data you possess? Are you monitoring it properly?
First and foremost, your organization needs to know what PII it’s storing and where. This includes how it might be used in non-standardized data processes within shadow IT solutions. It’s critical to monitor this data continuously, aggregating all network and system security and event log sources into a single pane of glass from where you can assess vulnerabilities, detect anomalies and investigate alerts. There can be no gaps in monitoring periods, as cyberthreats are possible 24/7, not just during business hours.