Within the Infosec community, you cannot avoid the topic of GDPR (General Data Protection Regulation); discussion of its influence and intricacies is everywhere. Outside of the security bubble however, it would appear there is distinct lack of interest in preparing for the new legislation that will expand the existing Data Protection Act (DPA) and define how data is processed for a generation to come.
GDPR – Compliance in the EU Report
A recent survey places the ability of companies in the UK to adequately deal with the EU’s incoming legislation in stark light, showing that while most of the 200 surveyed companies (77 percent) are familiar with the EU General Data Protection Regulation (GDPR), only 5 percent believe they are compliant with all applicable requirements less than a year before the regulation goes into effect. A further 27 percent were not confident they will be ready by the time GDPR is enforceable in May 2018.
The European Union General Data Protection Regulation (EU GDPR) goes into effect on May 25, 2018 representing a sweeping change in data privacy regulations. EU GDPR requires organisations that host data on European citizens to adhere to specific regulations that protect their personal data from being compromised. If companies suffer a data breach, they can be fined up to €20 million or 4 percent of turnover, whichever is greater.
Survey respondents were asked what challenges their company faces in becoming compliant with EU GDPR regulations. The most frequently mentioned challenge is a lack of budget (50 percent), closely followed by a lack of in-house IT expertise (48 percent) and limited understanding of the regulations (37 percent).
Data protection by design and by default
Among the many articles of GDPR, EU companies are most concerned about Article 25, ‘Data protection by design and by default’, likely because it requires significant system re-design and investment in data protection controls and processes. While the majority of those surveyed (61 percent) stated they have a formal process in place to notify authorities in the event of a data breach, only 39 percent confirmed that they always follow this process.
In terms of the enforcement of GDPR, the survey also revealed that approximately one third of EU-based companies (32 percent) expect substantial changes to their companies’ security practices and technologies to become compliant with EU GDPR policies. Moreover, a further third of organisations expect that regulators will issue a significant number of fines to companies found to be non-compliant; in contrast, 42 percent expect that only a few organisations will be fined for non-compliance.
Complying with GDPR is not straightforward
It will require detailed planning and collaboration with all the businesses/third parties in your chain, as well as an efficient, well tested approach to breach detection. Security-as-a-Service providers can speed detection and response by drawing from huge pools of data and dedicating threat detection and analyst teams to assess potential incidents and recommend remediation, which is why many businesses are looking to extend their teams rather than hire and train new staff. The critical driver and intent of the GDPR regulation is addressing the time to detection; something that is a challenge for many. The harsh reality is that on average it takes organisations 205 days before detection and that has to change.
24×7 security monitoring coupled with market-leading security technology and innovation is what organisations demand in order to enable themselves to detect more complex attacks, to reduce the chances of a cyber criminal hacking business’ IT infrastructure and its critical applications. Additionally, the ability to gain immediate knowledge of attacks during a breach is a challenge and finding rapid assistance during an incident can be costly. The next big stumbling block is an effective and well tested incident response plan – many do not have the experience to identify the key threats to detect, but worse still is a major approach to containment. The final challenge to remain audit ready with the ability to provide evidence to support audit and compliance without a challenging process of investigation.
Keeping Pace with GDPR
The age of hoping that breaches don’t happen is beyond us; the intent of these regulations and standards are to help companies improve security, reduce the time to detection and be proactive in identifying as well as protecting their sensitive data, which is a good thing for us all.
For the 95 percent who do not see themselves as compliant, relieve the pressure! Find out where your data is, why you need it, check if you are legally allowed to collect it and start to apply appropriate controls. Our advise is to get visibility of how people interact with your systems in scope and surrounding, as it will give you an early warning and put you into a good position to remediate, both from the outside where the bad things are and the inside. Trust, but validate.
To find out more about GDPR, please read our “Brexit Won’t Get UK Out of General Data Protection (GDPR) Compliance) blog or watch the “Assess Your GDPR Cloud Security Readiness” webinar.