The one year countdown until the General Data Protection Regulation comes into force has officially begun and many businesses have a long way to go before they are fully prepared. Five IT experts give their thoughts on how to make the most of GDPR, where businesses are coming up short and what they can do about it before 25th May 2018 rolls around.
The Data Protection Officer
Matt Smith, CTO Northern EMEA, APJ & South Africa, Software AG says: “Companies with over 250 employees will have to appoint a data protection officer (DPO) by May 2018 in order to comply with a key requirement of the GDPR. These organisations will need to think seriously about how they can recruit for this role, as well as how they train staff effectively to ensure they are not left exposed to GDPR sanctions due to poor data practices. The DPO’s role is a complex one to fulfil, with little official guidance offered so far. The DPO will be need to be a ‘jack of all trades’; an expert in data protection, law, a key communicator between the C-suit and staff and a people leader. It is vital that the DPO has the skills to push companies to make the most out of GDPR, using it as an opportunity for change and collaboration, not just a compliance burden.”
Jes Breslaw, EMEA marketing director at Delphix, comments: “With just a year to go until GDPR comes into effect, companies need to be smarter and look at ways they can reduce their exposure to the legislation. GDPR requires companies to demonstrate the steps taken to protect personal information, but there are technologies that can be used to take data out of the remit of GDPR altogether. For example, the use of irreversible ‘pseudonymisation’ or data masking, changes the data by replacing fields with dummy alternatives. This keeps the data useful for things like testing software, reporting or analytics, but also ensures that if information is lost or stolen, it won’t leave a business exposed to GDPR sanctions. As masked data contains no personal information, GDPR requirements no longer apply. As much as 90% of an organisation’s total data is made up of copies used for secondary functions like testing, so masking provides a great opportunity to get ahead of and mitigate the impact of GDPR.”
Matt Walmsley, director of EMEA at Vectra Networks, says, “Artificial Intelligentce (AI) enables the early detection, context and evidence gathering of a threat. If a data breach has occurred then there will likely be a requirement for disclosure. Such disclosure must be comprehensive, describing the nature of the breach, the data sets compromised, contact information of persons responsible for data and the measures that the organisation intends to take to address the issue.
“Unfortunately, detection and response to cyber attacks is often a slow affair. It takes an average of 99 days before a breach is detected*, the majority of which are only discovered after receiving a notification from an external party. When GDPR comes in next year, these sort of timeframes will be simply unacceptable.” (*M-Trends Report 2017)
Andy Kennedy, senior sales engineering manager, UK, Ireland, Middle East & Africa at Zscaler, comments: “Achieving a greater level of data hygiene is crucial for companies to meet the requirements of GDPR. By addressing the lack of consistency in data handling across the business, organisations have the chance to protect themselves while regaining the trust of those they need the most: customers. Part of this process means putting technology in place that helps to control and protect digital assets and reconcile any disparity in data handling between departments. This helps to produce the shared insight necessary to update an organisation’s security posture.
“Firstly, organisations should evaluate their current security posture and ask themselves, ‘How would we know if our data has been compromised?’ ‘Are we able to effectively spot infected devices?’ If not already in place, a multi-layered defence-in-depth approach needs to be adopted to spot and block even the most difficult-to-detect attacks. SSL inspection as well as behavioural analysis are critical components of this approach.
“Companies will also need to embrace the needs of the end user and act as an enabler towards adoption of new technologies that will simplify processes and enhance productivity. Otherwise employees will increasingly turn to shadow IT applications that lie outside the security controls of the corporate network. A substantial step in the right direction is to get an overview of all cloud delivered applications in use within the company and leverage concepts such as Cloud Access Security Broker (CASB) functionality to close the security gap.
“Finally, organisations must ensure that protected information does not flow out via cloud storage, file sharing sites, blogs, webmail, social networks, IM, and other Internet channels. Between the harmful effects of unintentional user actions, malicious activities, and simple lack of awareness, these safeguards are likely still not enough to prevent sensitive data from leaking out onto the Internet. By implementing DLP systems that monitor Internet bound data in motion, companies can significantly reduce risk and improve data hygiene.”
IT Business Support
Darran Rolls, CTO and CISO at SailPoint, says: “In order to stay on the right side of the GDPR line, many organisations will require a considerable shift in their thinking and in their IT business support systems.
“GDPR legislation specifically introduces the idea of ‘privacy by design’ which means all new systems must be architected to ensure private and personal data compliance at the start and end of all business or service process.
“Embedding privacy early on in the system’s design process ensures enterprises have a holistic view of what data they have, its availability, who can process it and who has access to it. This means governing access in a sustainable, consistent and auditable way.
“The reality is, privacy by design is no longer merely a desire but is set to become a legal mandate. In today’s complex data driven economy, it’s critical that any businesses subject to GDPR take steps to understand how to implement the relevant controls and best support its obligations.
“Identity governance therefore plays a big part in getting ready for GDPR. Adopting consistent access practices means businesses can remain compliant while having full oversight of data, ensuring it remains secure in the long term. Today, we must recognise that ‘privacy by design’ is a business asset rather than compliance nightmare.”