Alistair Holmes, Software Sales Engineering Senior Manager at Quest.
The General Data Protection Regulation (GDPR) deadline is now under six months away and many companies are still not prepared. The new regulation impacts all organizations, in all industries and in all regions — even those outside the EU that collect and store personal information of EU citizens. However, most organizations are unclear on the extent of change required to achieve GDPR compliance, the severity of penalties for non-compliance and how changes will affect the business. A recent study by Osterman Research found that 61 percent of businesses aren’t familiar with the key provisions of GDPR and 64 percent aren’t equipped to comply with the new requirements.
As we approach the 25th May, organisations will need to gain a greater handle on where their data is stored and how it is protected, who is accessing it and how they will continue to safeguard it in the future. Many organisations are already in a transformational stage facing the intersection of on-premises and cloud infrastructures while also struggling to balance business continuity, administration, and innovation. Add GDPR on top and the seemingly endless list of business critical tasks can be difficult to prioritise. If business leaders look past the obvious measures and check their organisational blind spots, navigating the new regulatory landscape can be easier and help avoid unwanted surprises, even with the clock ticking.
GDPR blind spots: Expecting the unexpected
One of the greatest concerns for organisations preparing for GDPR is the costly fines for non-compliance. Violations, whether it’s not reporting a breach or not being able to produce requested data on-demand, can result in heavy fines of up to four percent of global revenue or €20 million. The best way to ensure that doesn’t happen is to be one step ahead and look for hidden issues lurking in the background. From speaking with business leaders, Data Protection Officers (DPO), and IT heads, there are a number of organisational blind spots that have consistently come up as they’re building their compliance strategies. Each of them are useful considerations for any organisations preparing for this brave new world:
Unforeseen skills gaps: Previously, companies treated the DPO as merely an IT role that could be filled by junior associates, with minimal experience, and no real risk or IT expertise. Now a DPO must have experience with EU and global privacy laws, IT operations including auditing and a level of empathy to deal with customers. And the role will have two parts. Firstly, they will have to go through an assessment to understand where an organisation is and where they need to get to, effectively carrying out a gap analysis. Secondly, they will have to ensure the business understands the risks and then co-ordinates responsibilities – which might expose other talent gaps in security, data management or compliance roles.
Internal threats are greater than external: Over 70% of data breaches involve an internal employee and that’s largely because most organisations are focused on external threats rather than internal ones. For organisations to strengthen internal security and governance they must place strict controls on access to their sensitive resources to help ensure data protection. Organisations can even implement proactive controls by preventing critical changes or unauthorized access to sensitive data and get real-time data breach alerts that notify your data protection officer and other key stakeholders immediately to avoid fines and reputation damage.
Comply in-time, regulate forever: The GDPR deadline is not just a tick box where once the business has met the criteria the organisation is compliant forever. Companies must be able to demonstrate compliance at any time. Once data is collected, generating and distributing easy-to-read, audit-ready reports requires time and complexity to script. That’s why real-time auditing, in-depth forensics, and comprehensive security monitoring is critical. It means organisations are able to detect suspicious activity or unauthorized access to files or systems containing personal data and quickly determine who made what changes, when, where, and from what workstation/origin.
These illustrate the potential areas organisations can be caught off-guard if the right tools or talent aren’t in place. Whether it’s an on-premises, cloud or a hybrid Microsoft environment, business leaders need to ensure they have full visibility across all unstructured data systems, such as Windows servers, NAS devices, SQL Servers, Office 365 and Active Directory (AD). Also, they must regularly evaluate and report on existing security policies, system configuration settings and privileged access rights (eg. user, computer and group information, direct and nested group memberships, OU and file/folder permissions) to reduce the risk of internal and external data breaches by identifying users with inappropriate access. Life after GDPR doesn’t have to be a hard one if these measures are in place and permeate throughout the business.
Post-GDPR: What happens next?
In the first half of this year alone, there were nearly 1000 data breaches globally which resulted in over 10 million data records lost or stolen, and that data threat will, unfortunately, continue into 2018. It’s no question that GDPR will reshape how organisations interact and operate after May 25, 2018. Violations can lead to public embarrassment for the organisation, heavy fines, and job loss at multiple levels—C-level on down.
The new reality is that compliance is not an annual or even monthly occurrence, it’s daily. After May next year, organisations will need to conduct regular system checks across all networks to ensure there are no vulnerabilities they’ve missed, especially as cyberattacks become more sophisticated. Ongoing education and training will be vital to all departments, especially for new employees who may not be aware of the breach notification process.
Despite many organisations still lagging behind, it’s not too late to pave a new path forward – one that promotes data security in the design by default and stands up for the rights of individuals, not just the business.