As of May 25, Europe's groundbreaking General Data Protection Regulation (GDPR) will take effect, fundamentally changing the way businesses and government agencies deal with personal data. The new law applies equally to any organization that operates in Europe, no matter where it is based – posing a major challenge for corporations and regulators across the globe.
There have been few occasions in recent history when a regulation has stirred so much conversation and awareness about compliance. In a recent PwC survey, 92 percent of the U.S. employers surveyed said they consider GDPR compliance to be a top information security priority, and 77 percent said they expect to spend more than a million dollars preparing for the GDPR.
To face the changing landscape and meet the requirements of GDPR, organizations must educate themselves on the evolving nature of compliance and how they can be prepared to meet the related challenges that arise.
What's different?
While compliance may have been equated with a project that could be completed and forgotten, it now must be completely and continuously integrated with the business processes that are in place today. Under GDPR, organizations are expected to incorporate data protection into their products, services, and business practices “by default” and “by design,” and must be able to demonstrate they have taken steps to secure personal data throughout their operations. Data classification, retention and protection will need to be an ongoing focus for any business.
Compliance also needs to go broader than it previously has and must cover the whole solution set. With the increasing number of ways people communicate about business today through messaging platforms, social media and email, the amount of unstructured data continues to expand and data goes just about anywhere. Businesses can no longer approach security by simply setting up a wall to protect their structured data from the outside world.
Whereas achieving 90 percent compliance may have previously been acceptable, under GDPR compliance requirements will be a lot stricter. Companies who previously focused on simply passing an audit and securing the perimeters of their network must shift their approach.
How compliance helps
Despite the need for change, companies may be hesitant to update their approach to compliance, citing concerns that it will slow down business, cost too much money or require intensive training and new management processes.
While putting the protocols in place to demonstrate compliance can take time, it will start to pay off in more ways than one. For instance, from a cost-analysis perspective, there are significant benefits in the smoothing of how the business operates once you know what kind of data you have and where it is being stored. Being able to demonstrate compliance will also keep insurance costs down if the heavy GDPR fines are put in place.
Additionally, achieving compliance will limit the potential impact of a data breach to both your company's reputation and bottom line. Retaining data you don't need could be harmful to your business. Taking steps to delete unnecessary or outdated data will reduce the risk of vulnerabilities as well as fines and the cost of remedial action necessary in the event that the data becomes compromised. Alternatively, sensitive data should not merely be seen as a liability – it can also have real value if handled correctly. Compliance can help you know where your data is stored and take action to properly protect it.
Finally, security professionals must be able to demonstrate compliance to avoid risking long-term damage to their individual reputations. While the public trust of companies that suffer a massive breach may recover over time, the individuals at fault suffer far longer from a career standpoint.
Prepare your business: Making the shift
Achieving compliance under GDPR is a process, not a project. There are a few best practices that organizations can follow to improve their compliance processes. To start, determine whether your company is required to appoint a Data Protection Officer (DPO), and consider who may be qualified to hold the position. The DPO needs to be a catalyst for change.
To be most effective, the DPO should assess current processes and workflow that involve customer data and then implement clear, well-defined data classification and data retention policies. The only way to be sure that your organization is meeting its data protection compliance obligations is to understand exactly what types of data you have, where data is located, and how it's being protected.
Most importantly, the C-suite and board must believe in the policies being put in place and drive them down through the organization. Companies should commit to implementing both process and technology changes to meet GDPR requirements around the protection of sensitive data, and then actually follow through with the support of senior leadership.
Under the era of GDPR, organizations around the world need to update their business models and security architecture to ensure they're in compliance. The key to achieving compliance in the data age lies in data classification, retention and protection. Companies should see GDPR as a huge opportunity to improve business processes, reduce the risk of costly breaches and ultimately protect their bottom line.