Over the past 12 months, I’ve heard the word “compliance” thrown around quite a bit. From ISO to General Data Protection Regulation (GDPR), compliance is now at the forefront of many organisations strategic requirements and is. is now recognised at board level, highlighted in many cases by the consequences (being fined) for not maintaining compliance.
One thing to remember is that it’s not always an IT problem. I don’t know how many times I have walked into a meeting and been asked by a customer what do they need to buy. Take GDPR, for example. Out of 107 actions, only eight can be fixed by a purchasable IT solution. The rest is policy-driven, and this is where it gets complicated. Although compliance is not an IT issue, IT is often crucial for you to stay compliant, you need to make sure you have technology in place to ensure that you adhere to the policies you have in place.
For this article, I am going to focus on one of the hot topics of conversation when it comes to compliance. The new European Union General Data Protection Regulation (GDPR). For many, this is a word that either causes confusion or panic. Please don’t panic! Don’t burrow your head in the sand. Talk to the experts! I may not be an expert when it comes to compliance, but over the last twelve months, I have learned a lot from listening and talking to partners and customers about their experiences. One of the big concerns I hear about repeatedly is how good are my foundations. Where does your business stand today in line with the new regulation? You must make sure you can clearly define or find the information you need to start. From hardware inventory, current security vulnerabilities, firewall policy and more important classification of your data. It is fine to have all these tools to monitor and protect against security threats and data breaches. However, if you don’t understand your data and how you use it you will struggle to understand and meet the GDPR requirements. But what I have also learnt from industry experts, is that it’s not just knowing what data you have but ask yourself the question why do I have this data? And understand your policies around it.
So, let’s take it back a step for anyone reading about GDPR for the first time.
The EU GDPR goes into effect May 25, 2018. It applies to all organisations processing the personal data of EU residents. The regulation will introduce a new way for organisations to handle data protection and it will be enforced fairly. The penalties for non-compliance of GDPR can be up to 20 million euros or four percent of company’s annual turnover. In addition, data subjects get a right to claim for compensation against an organisation under GDPR. But when Talking with the ICO one of the things they think will be the biggest penalty they can give is not money but stopping your ability to process data! How would your company cope with that?
It is important to remember that a data breach isn’t necessarily black and white. You could have all the security and encryption layers you want, but you may still be breached from either an external intrusion or an internal intrusion. What has become clear to me is that you need to have a clear audit trail of data throughout the business, from tracking user activity to change control activities and everything in between. The reason this is important is that part of the GDPR regulation requires that you declare to the ICO (In the UK) or equivalent any data breaches within 72 hours. Having an audit trail that proves that you have adhered to all policies and procedures may help reduce any penalties imposed on your company.
Let’s stop and think about the IT elements for a moment. It’s all well and good that you can provide the audit trail once you have been breached, but what elements do you need to think about when you’re trying to prevent a breach? It’s not as simple as just encrypting everything. You should make sure you keep your internal system up to date with the latest patches, so make sure you have a good patch manager in place to monitor servers, end-user devices, etc. One of the other elements you need to keep an eye on is your firewall management. Make sure that this is correctly patched, and, more importantly, that all policies are adhered to and implemented.
As I said at the beginning, I am not an expert on compliance, but these are thoughts and ideas I have picked up on over the past year. So, here’s my call to action for anyone reading this: Make sure you understand your data, and remember that the hard part isn’t becoming compliant; it’s the challenge of staying there.
If your interested in hearing from a Data privacy expert have a listen to the podcast below;
@Techstringy Podcast – keep-it-to-yourself-the-data-privacy-challenge-sheila-fitzpatrick-ep53