The General Data Protection Regulation (GDPR) goes into effect soon. There has been consistent coverage of the European Union compliance framework over the past year—increasing in volume as the implementation date becomes more imminent.
Let’s talk about some of the key aspects of GDPR compliance that you may not be aware of.
Ready or Not, GDPR Is Coming
If this is the first you’re hearing of GDPR, you’re in trouble. The EU law goes into effect on May 25, 2018 and it’s far too late to go from nothing to full compliance in the next couple months. If you’re still not sure what GDPR is, or if or how it applies to your business, you’ve got a lot of catching up to do.
There is a silver lining as well, though. GDPR is about protecting data and taking responsibility for the personally identifiable information (PII) your organization is entrusted with. We cover this in our GDPR webinar. If you are following established security best practices or fall under other existing compliance mandates such as PCI Compliance or HIPAA Compliance, there’s a good chance you already have a strong foundation in place.
Yes, GDPR Probably Applies to You
Before you say, “Oh, my company is not based in Europe, so this doesn’t apply to me,” and stop reading, I should let you in on a little secret. There is a very good chance that GDPR Compliance applies to your business no matter where you are. The scope of GDPR is effectively global because we live in a global, connected world. If you conduct business online, or even have suppliers or vendors that operate in the EU, it is possible that you may collect, process, store, or transmit any personal data on any citizen of the EU, GDPR applies to you.
Brandon Board, Senior Director of Corporate Security, IT Compliance and Audit here at Alert Logic, shared that one of the biggest challenges he and his team have faced in getting ready for GDPR is the amount of time and effort required to educate service providers that Alert Logic relies on about GDPR and what their obligations are related to compliance.
Failure to realize that GDPR does apply to you and take the appropriate steps to comply could be a very costly mistake.
Visibility and Accountability are Crucial Elements of GDPR
The penalties associated with GDPR can be severe. One of the requirements of GDPR is that a data breach must be disclosed within 72 hours of being detected. Failure to do so could cost up to 4 percent of your global revenue or 20 million euro.
That is why visibility and accountability are key components of GDPR compliance. GDPR places significant emphasis on the documentation necessary to demonstrate accountability. Achieving and maintaining compliance will require organizations to have a comprehensive view and understanding of how personal data is collected, where and how it is stored, and how it is used. It is also essential to review contracts and other arrangements you have in place when it comes to sharing data with other organizations.
If and when a breach is detected, whether or not you get fined or how severe the fine is will depend on your ability to demonstrate the security controls you have in place to protect data, and to quickly provide an accurate assessment of exactly what data was exposed or compromised. Meeting that obligation requires comprehensive visibility with a good intrusion detection system and continuous monitoring of the activity across your entire network with a robust cloud security platform.