GDPR to Put a High Price on Security Breaches
What is the GDPR?
With the introduction of the General Data Protection Regulation (GDPR), the EU is enacting a set of mandatory regulations for businesses that go into effect soon, on May 25, 2018. Organisations found in non-compliance could face hefty penalties of up to 20 million euros, or 4 percent of worldwide annual turnover, whichever is higher.
Simply put, GDPR was enacted to give citizens and residents more control over their personal data and puts strict data handling rules in place governing “controllers” that collect data from EU residents, and “processors” that process the data on behalf of controllers, such as cloud providers.
Prepping for GDPR
Ronald Sens, EMEA Director at A10 Networks has recently expressed his views on the effects that GDPR may bring with it, he stated:
So how do companies ensure their systems and their customers’ data are protected when the GDPR takes effect? As with most security recommendations, it’s about having a battle plan in place well beforehand.
Gartner recommends a good starting point for GDPR prep is to create two new roles dedicated to data protection: One who acts as a contact point for the data protection authority and data subjects, and the other a data protection officer to ensure processing operations maintain compliance.
From there, companies should be proactive and transparently demonstrate accountability for all processing activities, examine how data flows across borders within the EU and outside of it, and ensure they have systems in place notify individuals and authorities should a breach occur and to comply with the right to be forgotten should an individual ask for their data to be erased.
It’s also imperative that companies have systems in place to prevent breaches in the first place. Notification is not required for breaches involving anonymised data, but companies should examine their encryption solutions to ensure their private data is and remains private.
Tools That Can Help Protect Your Data
When GDPR comes into force it is important to look at your corporate infrastructure and rethink how it is protecting customer information and data. Looking at if you have the right tools for the job is the first step for this. Ronald continued by stating:
A dedicated decryption can ensure encrypted data is decrypted for visibility and inspection, in a secure decrypt zone, and companies can opt to bypass certain types of traffic that should remain encrypted and anonymised such as personal data as policies dictate. That gives organisations the benefit of decryption services, while still complying with GDPR.
Companies can also institute stronger identity hygiene practices to ensure attackers aren’t attempting to crack into networks to steal data. Simple steps like multi-factor authentication, and swiftly depreciating expired employee accounts can help ensure access is only granted to authorised personnel.
Analytics solutions, can help by enabling companies to quickly and accurately detect security anomalies. Having an understanding of how applications are performing in real-time and their security posture could alert an organisation in the event of a breach or an attempted data theft.