by Bharat Mistry
The enforcement date for the long-awaited European General Data Protection Regulation (GDPR) was announced this week: 25 May 2018. Now there are many reasons why UK CISOS might want to look the other way when they hear that news. Two years, after all, seems like a very long time away. It’s also very tempting to delay any compliance efforts until after the EU referendum, which could very well go the way of Brexit. The received logic is that this would let IT departments up and down the country off the hook for GDPR compliance.
But that’s a dangerous game to play. It’s likely that even in the event of a ‘Leave’ vote, the UK would be forced to align its data protection laws with the EU. So the message is still very much: “Brexit or no Brexit, IT leaders must start planning now for the GDPR.”
A legal question
If there’s one thing the EU referendum and the European GDPR have done for sure it’s make lawyers across the UK and beyond very happy. Why? Because it has created confusion, uncertainty and fear from Brussels to Bristol, prompting panicked boardroom calls for legal advice. The “fear” part comes from the fact that organisations found to have been in serious breach of the GDPR will be fined 4% of annual global turnover or €20 million – whichever is higher. The confusion and uncertainty comes from firms wondering exactly how they are going to comply.
How do firms notify of a breach within 72 hours when last year, in 83% of cases, victims didn’t find out they’d been breached for weeks or more, according to Verizon’s latest industry report? How do CIOs find suitable data protection officers to handle this part of the business, as mandated in the new rules? How do they comply with right to be forgotten and right to data portability requests? The list goes on…
The truth is that the GDPR will be a massive undertaking. But a Brexit vote will not mean compliance efforts can be halted. International law firm Allen & Overy explains it best here. The truth is that, once outside the EU, the UK would have to “impose a broadly equivalent level of data protection to that agreed in the GDPR.” This is to minimise the chances of a long, drawn out negotiating process of the type the US recently undertook with EU over a replacement to Safe Harbour – to ensure UK firms can work with EU data and vice versa. If the UK was locked in a similar years-long impasse, multinationals would likely vote with their feet and move data out of the country in the meantime.
Compliance starts here
The bottom line is: our data protection laws have been in need of a reboot for years now and as painful as it is, change is necessary to keep pace with modern technologies. For IT bosses at the coal face, here’s where to start:
- Conduct a data audit to find out what data you hold and how you are using it
- Classify data according to sensitivity and your organisation’s risk appetite
- DLP technologies to help prevent leaks
- Staff awareness and user education training programs to focus on data protection
- Restrict number of privileged accounts and roll-out strong authentication (eg 2FA) for those accounts
- Mobile device management to ensure mobiles are covered by new rules
- Regular penetration tests testing to check the resilience of systems to attack
- Develop an incident response plan to ensure you can report within 72 hours. Involve key stakeholders including legal, HR, PR teams etc…
- Advanced server-side technologies like Deep Security can help lock down risk across physical, virtual and cloud environments from a single console