Cyber attacks are consistently making headlines, impacting businesses and individuals alike as hackers look to steal sensitive data and make a quick payday. Techniques are becoming more sophisticated to avoid detection, convince users to download malicious files and extort businesses into paying to restore their data. The breaches over the years have taught individual users and business leaders many lessons, but organizations must prepare for the potential threats of the future. According to research by PricewaterhouseCoopers, cyber criminals are increasing their use of phishing scams and are even compromising mobile devices to access more sensitive areas inside company networks.
Everyone within an organization is responsible for protecting customer and business data, but the results of security efforts vary. As safeguarding becomes more of a priority, government bodies are creating their own initiatives to ensure that every company follows cyber protocols. The European Union recently launched the General Data Protection Regulation, which will impact all transactions within EU member states. Let’s take a closer look at the GDPR and how it will impact businesses outside the EU.
Rules and consequences of GDPR
The GDPR includes provisions for protecting personal data and privacy of EU citizens for transactions within the 28 EU member states, and regulates the exportation of personal data outside the EU. Companies will only be allowed to store and process personal data when an individual consents, and cannot hold it for longer than is necessary. The information must be portable from one company to another and must be erased upon request. GDPR also outlines mandatory data breach notification and grounds for further investigation.
There will be new roles established under GDPR to help maintain, process and protect personal data records. Data processors manage the data records of any firm that performs activities with this information – thus making them liable for breaches. Controllers are responsible for ensuring that outside contractors comply with GDPR regulations. Finally, a data protection officer is chosen to oversee the data security strategy and GDPR compliance.
Waiting could cost you
Meeting these requirements will likely require a large investment and rethinking current business strategy. Companies must be able to show compliance by May 25, 2018. If the regulations aren’t met, the GDPR calls for penalties up to 20 million Euro or 4 percent of global annual turnover, whichever is higher.
With such steep fines, it puts organizations in a tough position. A majority of U.S.-based companies are expecting to spend between $1 million and $10 million to meet GDPR requirements, and 9 percent think they will spend above these margins, CSO Online reported. The legislation heavily changes the way customers’ personal data is stored, processed and protected, but it doesn’t define what a reasonable level of protection truly is. The lofty goals and gaping holes that still exist within the GDPR can give a lot of leeway when it comes to assessing fines for data breaches and non-compliance, adding to an already challenging situation.
Organizations tend to have a “wait and see” approach to determine how rules are enforced before they go forward with a response. In fact, 50 percent of companies affected by the GDPR won’t be in full compliance by the deadline, according to Gartner. While the reactionary method may have worked in the past, a passive approach will lead to the massive compliance fines and lost business. Companies need to be ready for GDPR from day one. Entrepreneur contributor Patrick Lastennet noted that GDPR will help win more business in Europe if you take pre-emptive actions to protect data. GDPR should be sold as best practices to mitigate risks and ensure that coordination and effort are available from the beginning.
“Business leaders must take definitive action now to meet the compliance deadline.”
Steps to take now
GDPR is a major change, but U.S. organizations can’t just Brexit themselves out of this situation. In fact, it could put them at a competitive disadvantage if they don’t comply. Instead, business leaders must take definitive action now to meet the compliance deadline and make their infrastructure safe for personal data from all customers.
First of all, it will be necessary to audit the data your company handles. Finding out what data you have, where you have it and why you have it will be essential to addressing how long information must be kept and the processes used to delete it. For example, patient information is required to be stored for a different amount of time than financial data. InformationWeek contributor Martin James noted that a database solution will help provide a single view of your data, providing full visibility. This type of system can also be used to schedule data deletion and identify any unusual activity.
Leaders will also need to rework consent and disclosure forms for business customers. Keeping the strategy consistent for all consumers will help comply with evolving regulations and track individual preferences. Data subjects will need to approve of every use-case for their information, including profiling and big data purposes. Being transparent about where the data is going and what it’s being used for will be essential for attracting approvals and building stronger relationships with consumers.
When auditing your own capabilities, it’s also necessary to evaluate third-party providers and their service level agreements. Third-party vulnerabilities were the causes of some of the biggest attacks, including the Target breach. If a third party isn’t able to prove GDPR compliance, it’s illegal for them to work with your EU data. Avoid fines and seek out vendors that are committing to the necessary level of security.
“Consider making GDPR standards the standard for your company around the globe,” James wrote. “Improved data efficiency, better data protection, better relations and trust with customers – all of these things have the potential to push your company to the forefront and better secure you against future pain of data breaches.”
GDPR could be the first step in a new era of cyber requirements. To learn more about how to protect your systems and meet the “State of the Art Security” compliance effectively, take a look at Trend Micro’s guide to GDPR.