Last week the biggest change to Europe’s privacy laws in almost a generation came into force. Depending on your organization it very well might require a major new approach to data protection — even if you’re located outside the EU. Unfortunately, there’s still plenty of work to be done before the deadline: over half (54%) of global firms told KPMG recently that they aren’t prepared for the new law.
This is a vast and complex piece of legislation, but at its heart sits a very simple premise: you must be accountable for any personal data you hold on consumers and employees, transparent in how you process that data, and follow industry best practices in securing it.
As one regulator has stressed, the GDPR is no Y2K bug: compliance efforts don’t end on 25 May. That’s good news if you’ve still not made a start, but it also means that monitoring for compliance must be a continuous, ongoing activity requiring a significant investment of time and resources. This is no time for complacency.
Although there’s been plenty of noise in the cybersecurity and data protection press about the GDPR, information often stays within these circles, leading to a dangerous disconnect in awareness at a senior decision-making level. Let’s take a look at three of the biggest misconceptions about the new law.
1. We're compliant on some things — that's good enough
That is good enough, if you want to risk potentially astronomical fines. Under the new law, regulators will be able to penalize erring firms up to €20m or 4% of global annual turnover, whichever is higher. There’s no suggestion that these fines will be the norm, or that regulators will be sharpening their pencils from May 26, but the fines are there for a reason, and at some point they will run out of patience. Is that a risk your willing to take?
2. No-one will know that we're not compliant
This is another high-risk strategy. The truth is that data breaches today are inevitable. Sooner or later, you’re going to get hit, and when that happens the regulators will investigate closely whether you did enough to keep your customer and employee data safe and secure. For those thinking about keeping breaches quiet, think again. The GDPR introduces mandatory 72-hour breach notification laws. If you don’t report it, someone eventually will, and then you could be heading for an even bigger fine.
That’s not all. The GDPR also grants new rights to data subjects to complain about aspects of your data handling and protection. It will also enable breach victims to launch joint legal cases against organisations more easily. The bottom line is that the best way to protect your reputation is by investing in best practice security.
3. I can delegate responsibility for GDPR compliance to third-party providers
Unfortunately not: another major new stipulation of the law is that both data controller and processor (eg a cloud service provider) are jointly responsible in the event of a breach. The law has been designed to improve accountability, so firms cannot pass the buck down an endless supply chain. That means you have a responsibility to ensure all partners and suppliers are compliant, by updating contracts and conducting detailed audits for each.
Where Do I Start?
Knowing where to begin on compliance can be challenging. Article 32 of the GDPR is the main part of the law dealing with data security. Yet it’s pretty vague about the measures organisations should put in place, saying only that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Encryption and pseudonymization are the only technologies mentioned by name. Aside from that, the regulators expect organizations to follow best practices to prevent “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
A recent Gartner report claimed that by 2020, at least 20% of organizations that deploy content and collaboration services will have been accused of GDPR non-compliance. So what’s the answer?
GDPR Compliance with Safe-T
That same report revealed that GDPR compliance was the number two priority for responding Gartner Research Circle members related to content collaboration. Number one was implementing applications like virtual data rooms: capabilities provided by Safe-T.
In fact, Safe-T’s Software Defined Access Suite offers many of the capabilities GDPR regulators are looking for. We protect organizations from data compromise by making that data invisible. We then grant transparent access to the data only after authenticating user and device — and even then only push the requested data to that user. By blocking unauthorized access to data services, networks, and APIs in this way, Safe-T prevents data exfiltration, leakage, malware, ransomware and fraud — so no customer data can be compromised.
Beyond this, the best practices in cybersecurity demanded by the GDPR require organizations to follow strict rules on Authentication, Access Control, Encryption, Integrity, and Audit. Safe-T helps achieve compliance in every category:
- Authentication: Access to Safe-T is permitted only to authorized users with unique user IDs, and all stored passwords are encrypted.
- Access Control: Access to Safe-T is strictly controlled via granular permissions, user and group policies and more.
- Encryption: Data is encrypted in transit and at rest down to the folder level using 256-bit AES.
- Integrity: Includes package-level and file-level integrity checks using external tools, encryption of data transfers, digital signature support.
- Audit: All package and file transfer activity is logged, plus there’s integration with Windows Event Viewer, and SIEM solutions.
GDPR is a serious undertaking, but with the right approach, it doesn’t have to be unmanageable. Get in touch today to see how Safe-T can help.