Current regulations require companies to notify customers if a data breach occurs, but businesses have rarely suffered more consequences other than the loss of information. In May, the General Data Protection Regulation will start holding companies operating in the European Union — a target market for many American companies — accountable for breaches. And the consequences of customer information loss could be devastating.
A multi-million-dollar fine could be levied on companies that experience a breach and are found to be uncompliant with GDPR. Surveys have found that the majority of businesses with EU customers and the majority of businesses in the EU/UK are not ready. The new regulations are complicated, but failure to comply can be very costly, with fines up to $26 million or 4 percent of global gross revenue.
As of December 20, 2017, the Identify Theft Resource Center reported 1,293 data breaches, with more than 174 million records exposed since the beginning of the year, an increase of 21 percent over the same time period in 2016. If those 1,293 data breaches were to occur this year, many of the companies affected could face GDPR sanctions.
Compliance with the new regulations starts with determining if the business is impacted. Simply put, any company that has customers in the EU is likely affected and any company located in the EU that processes data from outside the EU is affected. GDPR was created to better protect Personally Identifying Information (PII). If a company stores information on customers that can be pieced together with a name to determine who that person is, then GDPR applies. This information could be age, birthday, sex, address, phone number, IP address, sexual orientation, political orientation or political opinions, union or trade memberships, religious or philosophical beliefs, racial or ethnic origin, genetic or biometric data and any information on a child under the age of 16 or information protected under other regulations. Basically, for any company that saves information on its customers, the safest bet is to comply with GDPR in order to avoid future fines rather than hoping against a breach or investigators uncovering lack of compliance.
The first step toward compliance is assigning a Data Protection Officer. A business will be required to have a DPO if it processes large sums of data covered by GDPR. This person must be available and involved in any events in which there is a possibility of a loss of GDPR-covered data. The DPO will be the point person for any GDPR issue with the affected persons and the Supervisory Authority (SA). Obviously, because the DPO will be in charge of proving a company’s compliance with GDPR, this individual needs to know the company’s regulations and security protocols inside and out, backward and forward. If the company is not required to have a DPO, it should still have a plan in place for who should be called if the SA opens an investigation.
Of course, it doesn’t stop there. All PII needs to be evaluated to determine if the business is legally allowed to receive, store or process the data. Any unlawful possession of data covered under GDPR will be viewed as a serious violation. Any PII that is lawfully received, stored or processed by a company also needs to be encrypted. This means completely encrypted at rest and in transit. Companies will also now be required to complete data protection assessments and privacy impact assessments. As a part of doing business, companies will now be expected to assess their levels of data protection and acknowledge or remediate what is needed in order to become GDPR compliant. They will also be expected to increase visibility into what level of impact will happen for the data subjects as well as the company if there is a privacy issue.
There are many other components of GDPR that companies should familiarize themselves with and comply with if required. The best source of information on the regulation requirements is gdpr-info.eu.
Once GDPR takes effect, if a company experiences a breach or is contacted by a GDPR investigator, the best course of action is to show an attitude of compliance by offering complete support for the investigation. It should then contact its legal team. It is important to remember that complying with GDPR is not easy. It takes time to update systems and processes to the level of security required by the new regulations. It can also be costly, but the protection of data should never be taken in any way other than extreme seriousness. The cost of compliance will always be less than the cost of sanctions.
John Barchie, a senior fellow with Arrakis Consulting, has 20 years of experience in computer networking, particularly information technology and cyber security. The majority of his career has been spent developing security protocols for Silicon Valley corporations, including Symantec, PayPal, PG&E, KPMG and OpenSky. He has completed security projects for Sony PlayStation and NASA. Barchie is ISACA, (ISC)2 and ISACA certified.