The clock is officially ticking for organisations to get their data protection policies in order, now that the General Data Protection Regulation (GDPR) has been approved and is set to replace the EU Data Protection Directive.
The new regulation will come into effect in May 2018 and will require businesses to put a much stricter focus on data protection. The headline items for organizations that collect or process EU citizen records are:
- Organisations must notify their supervisory authority of a data breach within 72 hours
- The data subject will have the right to retract consent, request data erasure or portability
- Organisations may face fines of up to 4% of their worldwide turnover, or €20 million for intentional or negligent violations
These increased sanctions mean it is vital that this new law be fully understood by a number of key stakeholders within the organisation, and that organisations start preparing as soon as possible.
There are five key steps to help organisations perform a basic assessment of their current data protection strategy and any potential gaps that need filling prior to a more comprehensive view of the GDPR.
The first task for any organisation must be to identify whether they are considered a data controller or processor. They must review the relevant obligations these carry, such as issuing notice to citizens and maintaining relevant consent from the data subject.
Businesses should make it common practice to regularly review existing and new business processes to identify Personal Identifiable Information (PII). They should identify where this data resides – whether it is at-rest, in-motion and/or in-use and maintain a record of processing activities and understand how this data is protected.
Once PII has been identified, organisations must then sure they adequately protect this data. Encryption and access control are common control standards, but managing encrypted data across multiple business processes is a hugely difficult task.
Data sovereignty and data lifecycle management are key to helping businesses ensure that EU citizen data is processed and stored appropriately. In addition to this, they also need to manage data flows to approved third party processors, monitor for accidental data leakage from negligent or malicious employees and protect against data theft from external agents.
If an organisation does suffer a loss of data then it is vital to detect the breach and identify if PII records were lost or stolen. If a data breach has occured, the business will be required to notify the necessary authorities within 72 hours of the discovery to initiate a full investigation.
The investigation will focus on identifying the source and destination of the breach through event and incident information from Data Leakage Prevention (DLP) and Data Theft Prevention (DTP) tools. Data forensics will help to pinpoint the stolen data, at which time the business will be required to issue notice to any affected data subjects.
Incident response is critical to protecting data and protecting EU citizen data. In addition to the mandatory data breach notification requirement, organisations must also ensure they have implemented an effective incident response plan. This plan must be tested to ensure that employees involved in a data breach response are familiar with the reporting process and fully understand the new legislation and communication process in order to report a breach.
In the aftermath of a data breach businesses must ensure they maintain ongoing communication with the relevant authorities. This will ensure secondary loss factors are managed and keep affected data subjects regularly informed.
Data protection and the safeguarding of EU citizen data has always been an important requirement for organisations and the impending GDPR places even greater emphasis on the value of this data. It is therefore more important than ever for organisations to fully understand their role and apply the appropriate security controls that allow them to identify and protect this data. Having an established data breach plan in place will help organisations be familiar with the detect, response and recovery phases to ensure they limit the effect of the attack and have the relevant people, process and technology in place to continually deal with this new legal requirement.
For more information, watch the Forcepoint GDPR webcast: https://www.forcepoint.com/resources/webcasts/emea-general-data-protection-regulation-webcast
The final revision of the GDPR text with changes can be found here: https://www.scribd.com/doc/307465671/GDPR-Blackline-Comparison-of-12-15-and-4-16-versions