Personal data and privacy have become a battle ground, and it’s being fought on varied fronts. Amid the tug-of-war over domestic policy, a regulation will go into effect less than one year from now that many U.S. companies are still overlooking simply because they believe it applies only to the European Union.
The EU’s General Data Protection Regulation (GDPR) transcends borders. Its aim is to strengthen data protection for individuals across the region. Therefore, any company whose business touches the EU should be aware that this regulation is not only “set in stone,” but that it has teeth that can cut into bottom lines. Those that fail to comply with the GDPR, even U.S. businesses, face a fine potentially equal to 4 percent of their global revenues.
The intent of the GDPR is to ensure organizations include “privacy-by-design” in their security strategies and become more accountable to customers. Unlike the United States, businesses currently operating in the European Union and gathering data on individuals don’t have to reveal if they have been hacked. The introduction of GDPR is set to change all of this and bring data protection to the top of businesses’ priority lists.
So how can U.S. businesses ensure they are compliant and what steps do they need to take?
For starters, technology can help, and encryption can render breached data useless to anyone not authorized to access it. Still, while effective, the encryption keys that unlock it also need to be protected. To do so, businesses must focus on who is authorized to access sensitive data. The best approach is to use two-factor authentication, which requires an employee to have something more than just a code or password that can be guessed. These types of security are readily available, but need to be more widely adopted.
Next, U.S. companies should adopt a multistep formal process to protect data, much like their EU brethren. This should begin with gaining a thorough understanding of the legislation and include a compliance audit conducted against the GDPR legal framework. Once a company has a clear idea of their readiness to meet requirements, they need to keep a record of efforts to comply—essentially a GDPR diary. Companies should then classify their data; understand what needs to be protected; and determine how it is being done. It is particularly important to identify where Personal Identifiable Information (PII) is stored, who has access to it, and who it is being shared with.
Companies need to start taking security seriously and this means from the top down. GDPR is still to come into effect, but businesses need to start preparing before it’s too late and they are faced with fines and a damaged reputation.
Data should be evaluated, including understanding how it’s produced and protected. As part of this, businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of security policies, evaluating data life cycles from origination to destruction. Next is to assess and document other risks, with the goal of finding out where a business might be vulnerable. It’s also vital to record how and when a company will address outstanding risks. It’s these actions that show a business is taking compliance and data protection seriously. The final step is remediating any potential fallout and amending and updating this process where necessary.
Below are further details on compliance areas to immediately focus upon, with some tips to get you started:
Leverage ISO 27001: This can begin to put a company on the road to GDPR compliance. By meeting specifications, the information security management system framework can take an organization part of the way for complying with important policies and procedures encompassing legal, physical and technical controls of a company’s information risk management processes. While this is not entirely sufficient, many companies already adhere to it, so it should be leveraged.
Classify data: Understanding data and where it is stored is critical to meeting compliance. Specifically, classifying it can help provide an overview of PII possessed by a company. Identifying what data you have and where it resides is not only vital to protecting the very information that can raise most GDPR compliance issues, it can assist in exposing vulnerabilities.
Control access: Map out who has access to sensitive data. Only in doing so will you be able to gain the control you need to ensure its protected and compliance measures are being met. This should include an internal examination of employees, as well as those outside the organization, such as external data processors.
Document compliance: Companies need to keep a detailed record of compliance progress. Whether it’s a data register or documentation road book, an organization should be able to show a record of efforts to comply to Data Protection Authorities. Even the best initiatives will be futile if an organization cannot readily prove and track how they are ensuring data protection.
Consider consent: Consent is important under GDPR and is defined as “any freely given, specific, informed, and unambiguous indication of his or her wishes by which the person, either by a statement or by a clear affirmative action, signifies agreement.” Businesses should not rely on silence or opt-outs. Instead, a process such as box-ticking should be put in place for compliance purposes. Businesses must demonstrate consent has actually been given by individuals to the processing of their personal data.
Plan for breaches: Today, it’s not a question of “if” your organization will be hacked, it’s a matter of “when.” Prepare and develop an action plan. Know the GDPR expectation is breaches must be reported to the relevant supervisory authority without delay and, “where feasible,” no later than 72 hours after a data controller has become aware. Justification must be provided if reporting isn’t made within 72 hours. Communication to the data subject must also be carried out without undue delay, but no time limit has been set.
Most importantly, companies need to start taking security seriously and this means from the top down. GDPR is still to come into effect, but businesses need to start preparing before it’s too late and they are faced with fines and a damaged reputation. By establishing a security and compliance mindset at the top of the company, it will filter down to the rest of the employees. A company’s defense is only as secure as its weakest link and, considering the reach of the Internet and value of European markets, it’s important that U.S. executives focus on GDPR compliance now or risk staggering effects that will truly hit home.
Jason Hart is vice president and chief technology officer for data protection at Gemalto, a digital security provider.