By Jean S. Bozman
The worldwide nature of security threats and attacks has transformed the cybersecurity discussion from a U.S.-centric view to a global view of threats, data protection and data integrity. Case in point: the imminent start of the European Union’s General Data Protection Regulation (GDPR) enforcement on May 25, 2018 will affect all organizations interacting with European entities and individuals.
U.S.-based companies are must comply with GDPR if they process or store data about EU citizens – or face fines of up to 4 percent of annual worldwide revenue. Security and compliance executives at the RSA Conference 2018 in San Francisco (April 16-19, 2018) were still working to understand the full implications of the GDPR rules.
Key Requirements of GDPR
GDPR affects all companies doing business with EU countries and EU citizens. Therefore, GDPR is a top concern for all multinational companies that have data relating to European entities.
Key provisions are:
- Protecting data associated with identity and access authorization
- Meeting EU regulations regarding geographic location of the data resources
- Assuring protection of data whenever or wherever it is replicated, via the cloud, for availability purposes.
- Enforcing the Right To Erasure, also known as the “right to be forgotten” features of GDPR. This refers to opt-out requests that shield private data from distribution.
- Complying with all GDPR rules and regulations. Fines for non-compliance can be as much as 4 percent of a company’s worldwide revenue. Even so, lesser fines will likely be imposed, especially in the early months of GDPR enforcement.
- Ensuring that data audits can be done to certify GDPR compliance.
Preparing for GDPR is a lengthy process, with multiple steps along the way to ensure data discovery and data protection throughout a company’s data resources. As one speaker, Derek Case of Uber, said in his RSA session: “May 25 is the beginning [of GDPR compliance], not the end.”
Comprehensive Data Protection
GDPR plans must be comprehensive, including a formal review of all corporate initiatives relating to data protection, user identity and user privacy. There should be an overall blueprint for the GDPR plan, and a “gap assessment” to identify areas where data-protection is not already in compliance.
Roles must be assigned to those implementing GDPR regulations: People within the business should be identified as owning the data, and being responsible for its content and distribution. Policies and implementation of the final plan, via best practices, are essential to the success of an organization’s master plan for GDPR.
GDPR plans will not work without executive buy-in and approval, budget for ensuring GDPR compliance, and training for IT. The rules themselves must be operationalized, to ensure that workflows support the GDPR policies. Business managers and legal personnel must be part of the effort, as legal adherence to GDPR is required to pass audits.
Cloud Security Alliance (CSA) Discussions About GDPR
CISOs from large companies, and security vendors speaking at the Cloud Security Alliance (CSA) all-day seminar at RSA – emphasized the importance of completing GDPR readiness. CSA speakers included AT&T, the federal GSA (General Services Administration), Humana, Monsanto, Sallie Mae and Turner, among others, who spoke on many aspects of cloud security and data protection.
The key GDPR point that was driven home at the CSA event: If the data regarding European entities and citizens is discoverable, and is subject to audits, then the company that stores that data is responsible for its safe use. That applies, no matter where the data resides – on-premises or off-premises.
Businesses today may underestimate the extent to which their corporate data have European content – and now they must find it, and protect it – and be able to prove that they have done so.
Organizations – large, medium and small – may still be unprepared for GDPR rules to be enforced. Executives from large companies, speaking at RSA, had some advice for these unprepared organizations, including:
- Complete the discovery phase of your GDPR initiative. You still want to identify archived data and inactive data that would be identified by a future GDPR audit.
- Coordinate across IT teams, and across business units, to make sure you have operationalized your GDPR-readiness efforts.
- Partner with vendors and services companies that can help you review your checklist items for the GDPR era.
- Review the Right to be Forgotten provision of GDPR, to see how it would affect your customer lists and future processing of European Union citizens’ data.
- Begin an ongoing review cycle within your organization, to keep GDPR compliance up-to-date, with the knowledge that failure to comply could bring substantial fines.
The bottom line for the GDPR discussion is this: What may have seemed like a far-off concern one or two years ago is now dramatically relevant to business operations, from June, 2018, and onwards. If companies have not done their discovery and identification efforts, they must do so now. Because of the large amounts of data involved, both active and archived, many companies will likely have to accelerate their GDPR compliance efforts now, affecting all future data protection for their organizations.