Security breaches are already costly; not just financially, but in terms of brand damage, customer dissatisfaction and downtime. For companies that do business with residents of the European Union (EU), the financial fallout from a security breach is about to get much more expensive. That's why it's imperative for organisations to get ready for GDPR now, so they're not playing catch-up. Ronald Sens, EMEA Director, A10 Networks explains more.
What is the GDPR?
With the introduction of the General Data Protection Regulation (GDPR), the EU is enacting a set of mandatory regulations for businesses that go into effect soon, on 25th May 2018. Organisations found in non-compliance could face hefty penalties of up to 20 million euros, or 4 per cent of worldwide annual turnover, whichever is higher.
The GDPR is not just applicable to businesses in the EU, it applies to the data of all EU citizens, regardless of where it's stored. That means if a citizen of the EU has data stored with a company inside the US, then GDPR applies.
Under the GDPR, data controllers must report a data breach to the supervising authority within 72 hours of becoming aware of the breach. From there, individuals must be notified if an adverse impact is determined, and the data processor must notify a controller without undue delay after becoming aware of a personal data breach.
Neither the processors nor controllers, however, must notify data subjects if anonymised data is breached, meaning if the controller has implemented encryption and other measures to protect data. GDPR also gives consumers and individuals more power. Article 17 of the GDPR is the 'right to erasure,' which is more commonly known as the 'right to be forgotten.'
Prepping for GDPR
Gartner recommends a good starting point for GDPR prep is to create two new roles dedicated to data protection: One who acts as a contact point for the data protection authority and data subjects, and the other a data protection officer to ensure processing operations maintain compliance.
From there, companies should be proactive and transparently demonstrate accountability for all processing activities, examine how data flows across borders within the EU and outside of it, and ensure they have systems in place notify individuals and authorities should a breach occur and to comply with the right to be forgotten should an individual ask for their data to be erased.
It's also imperative that companies have systems in place to prevent breaches in the first place. Notification is not required for breaches involving anonymised data, but companies should examine their encryption solutions to ensure their private data is and remains private.
Tools That Can Help Protect Your Data
A dedicated decryption can ensure encrypted data is decrypted for visibility and inspection, in a secure decrypt zone, and companies can opt to bypass certain types of traffic that should remain encrypted and anonymised such as personal data as policies dictate. That gives organisations the benefit of decryption services, while still complying with GDPR.
Companies can also institute stronger identity hygiene practices to ensure attackers aren't attempting to crack into networks to steal data. Simple steps like multi-factor authentication, and swiftly depreciating expired employee accounts can help ensure access is only granted to authorised personnel.
Analytics solutions, can help by enabling companies to quickly and accurately detect security anomalies. Having an understanding of how applications are performing in real-time and their security posture could alert an organisation in the event of a breach or an attempted data theft.