The EU General Data Protection Regulation clock is ticking. Are you prepared?
25 May 2018 is a date you can’t forget! No, it’s not your mother’s birthday or your wedding anniversary, it’s the enforcement date for the new EU General Data Protection Regulation — or “GDPR” as it has become more widely known — and it’s only weeks away.
Replacing the older EU Data Protection Directives, the GDPR will reshape how organisations across Europe approach data privacy and ultimately, security. But it’s not just limited to those located within the EU. Organisations outside the EU that offer services and goods and potentially hold and monitor data on European residents or businesses will also be subject to the new regulations. With fines up to 4 percent of annual global turnover or €20 million for breaches, these are regulations with a serious bite.
Ensuring your organisation is safe, secure and prepared
It’s been two years since the new regulations were announced. The main focus for many organisations has been to understand how they manage their data classification, governance, access and mapping, but they have also been focused on security. This topic isn’t just relevant to the EU General Data Protection Regulation, it extends far wider. Considerations are not just the obvious “how do we secure externally from the bad actors and hackers” but, “how do we protect our endpoints and mobile devices.”
Security extends beyond the physical perimeter. Considerations should be made to secure data on mobile platforms workers use frequently. Your internal corporate database server might be locked up like Fort Knox, but how secure is the CEO’s tablet? More and more corporate data is now accessed and collected using mobile platforms, and security for those devices cannot be overlooked. With malware and attacks increasing annually, can your organisation afford to leave the widest and most fluid part of your network exposed? Whether you secure those devices using mobile device management solutions, implement containerisation or decide to use mobile application management options, there are many choices to suit different organisational risk profiles.
EU General Data Protection Regulation: Widespread impact
Whilst GDPR seems to be the mostly widely discussed new data privacy regulation coming in to force in 2018, it’s not the only one.
Although it is not as comprehensive as GDPR, the new Australian Breach Notification law comes into force on 13 February 2018, enforcing a mandatory requirement for organisations to notify the Privacy Commissioner and any affected individuals within 72 hours of a breach. This also carries heavy financial penalties of up to AU$1.8 million and AU$360,000 for organisations and individuals, respectively, who fail report as per the regulations.
There are no federal laws in the US requiring organisations to report data breaches, but many states do require public disclosure of breaches. There has been some confusion around whether GDPR will affect US businesses. The answer is very likely yes, especially for US organisations with web retail presences, and those involved in certain kinds of marketing. Even if there are no financial transactions taking place, if personal data or personally identifiable information belonging to an EU citizen is collected, it is protected under the EU General Data Protection Regulation.
Whilst many organisations will be following existing regulations and standards for different data, such as PCI DSS and NIST, these new regulations and laws will not cause too much disruption on their own. Yet in this hyperconnected world, protecting data has never before been this important. And as we move more of our lives into that connected world, data will only become more regulated. Organisations must learn to adapt — or face the consequences for not doing so.