On the 25th of May 2018, every organisation which is involved in the handling of personal data will enter a new world full of major challenges. Despite a vast amount of content already written on the subject and the fact that the acronym GDPR (standing for General Data Protection Regulation) has become the latest buzzword in our offices, a recent IDC report found that 40% of organisations are only just getting started and 17% still have no plans or strategy in place. With less than a year left until the GDPR comes into effect, we are here to talk about a solution which will add strength and value to your compliance strategy.
It is important to note that meeting the security standards is not just about technology solutions, it is also about the people within your company and the processes which everyone need to be aligned to. This involves training and plenty of communication to ensure your employees are aware of their responsibilities.
Before we get started, let’s establish exactly what the EU General Data Protection Regulation is and why you should bother to pay it any attention at all.
The GDPR was approved and adopted by the EU Parliament in April 2016 and the UK government has confirmed that the regulation will take effect regardless of Brexit. This is the most significant privacy regulation update in the past 20 years, period. With the increasing number of organisations operating across borders on an international level, it is crucial to have consistent laws and regulations around data protection in place. Therefore, the regulation doesn’t apply only to organisations located within the EU but to any company that handles, stores or processes personal data and information on EU citizens.
The consequences of a GDPR non-compliance will be much more severe than the penalties introduced by the Data Protection Act (DPA). The maximum fine that can be imposed for very serious infringements is up to 4% of the annual global turnover or 20 million Euro, whichever is greater. The new law also requires that notifiable breaches have to be reported to the relevant authorities within 72 hours of the company becoming aware of it. Failing to notify about a breach in this time frame can result in a significant fine of up to 2% of the global annual turnover (or 10 million Euro).
Encryption and Restrictions
Besides the encryption of personal data, the regulation requires the restriction of access to personal data. Your system is as safe as your weakest link, and we know that privileged users are the most common culprits for misuse in any organisation. No matter how well you try to protect your organisation, a breach is extremely likely to happen at some point, therefore the key is to understand how to detect breaches in real time and prevent them from happening.
Dedicated solutions for managing privileged users and sensitive information ensure the strongest level of security for those who have the highest level of data access and editing powers. Therefore, controllers and processors should have some level of user authorisation and a monitoring process. Companies will need to protect data in the same way that they protect critical infrastructure assets, requiring users with access to personal data to be monitored.