GDPR is coming: 5 Things to Be Aware Of
You may have heard that May 25th, 2018 is going to be a significant date. As well as being a few short weeks before the Fifa World Cup begins in Russia, it’s also the date that GDPR (General Data Protection Regulation) comes into full effect.
GDPR is going to be a huge catalyst for businesses within the UK – who will have to make some fundamental changes to the way in which they operate, and how they manage risk.
Whilst May 2018 might seem like some time away yet, the time to start preparing for GDPR is now. So, we’ve put together a list of 5 things to be aware of – specifically, how the regulation is going to affect you, and how you can put yourself on the front foot in preparing for it.
1) What is it, and how did we get here?
GDPR will introduce new laws that will impact companies around the globe. It will apply to all companies that are based in the European Economic Area and/or target the European Union (EU) markets or consumers.
In a nutshell, GDPR gives new rights to EU citizens over their personal data, such as a right to withdraw consent, and easier access to their own data (there are many more). Understanding the context is key, because this is about recognising the significant responsibility that companies take on when they are given personal data. Now, they must meet a strict set of criteria in order to prove that they are doing all they can to protect it.
There were two drivers to this. The first was about giving control of citizen data back to the individual. No longer will companies be able to gather whatever information they want, without a valid reason.
Secondly, each country currently has their own ways of coming up with legislation to control data rights. GDPR is going to drive some uniformity, and make it easier to legislate.
The penalties for non-compliance are fairly scary…the fines can go up to 4% of your annual turnover or 20 million Euros, whichever is higher.
Crucially, as a business, you don’t opt in, and you don’t opt out; you have to comply. And the sooner you start preparing for it, the better.
2) If GDPR affects EU citizen data, what about the question of Brexit? Do British companies still have to comply?
At the moment, we don’t know exactly when we’ll leave Europe, or what our position in Europe is going to be. However, GDPR refers to the transportation of EU data as well as just collecting it. So, any organisation which holds or transports EU citizen data will still have to comply with GDPR.
Most British companies are dealing with EU citizen data in some way shape or form. If you think you don’t, please take a look at what is meant by personal data, because it includes not only bank account details, email addresses, sensitive personal information, but also IP addresses. If you think about how many companies work with IP addresses, that really expands the scope of who this legislation affects.
It’s also very likely that the UK is going to imminently replace the data protection act of 1988 with something extremely similar to GDPR. The main thing to understand here is that by taking steps to protect your data, you will have a much greater chance of protecting your business against cyber threats. It’s a huge forward step in how the world sees data protection.
3) How do I start planning to meet the criteria?
The way to start is by doing some gap analysis. Work out what you need to do to become compliant, as there are some very specific guidelines. Compare that with processes and structure of what you currently have, and then work out what the gaps are.
From there, you can build a roadmap. Crucially, ensure you raise awareness within your businesses as to what is expected of your employees, at every point in the journey. The later you leave it, the more it’s going to turn into a panic situation. So, start on that road now – and there are experts who can help you if you’re not sure where to begin.
4) Can I become compliant with a particular piece of technology?
GDPR is about security processes and managing risk, more than anything else. Technology plays a part, but just like Ant can’t work without Dec, the technology can’t work unless it’s accepted into the organisation, and everything works together.
Traditionally, we’ve thought of cyber security as being a technology problem – with a technology answer. However, the bad guys have got cleverer. They are sophisticated, well-funded, and targeted.
Take a look at our recently released Annual Cybersecurity Report to find out what sort of escalated activities cyber criminals are now up to. The game has changed, and protecting against data breaches is something which all businesses must have high on their agenda.
GDPR also specifies that organisations have to appoint a data protection officer, who is distinct from a risk officer, and distinct from most other IT functions that currently exist.
Data protection officers have a specific mandate, but importantly it’s a role that has to sit outside of IT, and outside of the boardroom, so they’re not answerable to anyone else. They’re answerable to the regulation.
Again, it’s about ensuring that companies recognise how much responsibility they carry when they collect and transfer other people’s data.
5) How will GDPR affect how I deal with a data breach?
Currently, if an organisation suffers a breach, they don’t have to tell anybody. Ethically and morally, some companies feel obliged to, particularly if the breach directly affects their customers.
GDPR will force you to. The fines will kick in if you fail to notify a breach within 72 hours.
If organisations are not set up with the right processes or technology, they can’t always tell how bad the breach is. So, when they have to reveal it and then get asked questions like, “What’s been taken?”, “What are you going to do about it?” and “Can you assure me this won’t happen again?”, their answers aren’t going to be that convincing.
Secondly, the average amount of time to detect a breach in a business is between 100-200 days, which is an extraordinarily large amount of time. At Cisco, we bring that down to 9 hours across the globe, which is significant. This, coupled with our Stealthwatch technology, which helps quarantines breaches, will help businesses identify what has happened and how best to stem the damage – both now and in the future.
This is about making an attitudinal shift. Organisations must be aware of the current threat landscape, and be prepared for an attempt on their data. This is very process orientated – it’s about recognising a breach, and then dealing with it. Which is what GDPR is trying to encourage.