The year 2018 will go down in history as when legislators got serious about data protection – worldwide.
We’re now just three months out from the EU’s General Data Protection Regulation (GDPR) coming into effect. It’s safe to say that this law will have global impact. No matter where a business is located, if it collects or processes EU resident records, it will need to comply with GDPR.
As the capacity to collect, store and analyse data for commercial purposes continue to grow exponentially, GDPR seeks to strengthen and unify personal data privacy and protection - putting people in control of their data and ensuring that businesses treat this data in a fair, transparent and secure manner.
It’s no surprise that this seismic shift in the way we approach data security has caused a ripple effect across the globe, with many countries following suit and modernising their own privacy and data protection laws.
Two weeks ago, Australia saw the Notifiable Data Breaches scheme come into effect, which requires Australian businesses with a turnover of more than $3million AUD to publicly disclose eligible breaches. India is currently undergoing a public consultation around draft data privacy legislation, which is on track to come in to effect by the end of the year. In Singapore, changes to their Personal Data Protection Act are impending and should incorporate facets of the GDPR, most notably in terms of mandatory breach notification.
While many may be worried about the implications of a new regulatory era, in reality it will create trust and provide good practises that will benefit both the individuals and the business. These laws collectively present a positive business opportunity, when approached in the right way. Compliance can drive operational efficiencies, cost-savings and even fuel innovation. With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimise the all too common reputational and financial fall-out of a breach.
Positively secure - the benefit of GDPR
Businesses impacted by the GDPR will need to comply with a set of key principles when it comes to collecting, storing, using and securing personal information. Compliance with each of these principles should not be seen as a burden or just a means to avoid a penalty, but the opportunity to generate real customer and business benefits. For example, one key principle is around limiting the amount of data that you store to the most critical. Data storage comes at a price, so ensuring you are only storing what you need can keep costs down. Another principle is around purpose limitation; data must only be collected for legitimate reasons. Reviewing what data you collect and why can open up discussions around how data can be better used across the business, from marketing through to product development. And a further principle is around accuracy of data. Getting rigorous around the accuracy of your data will not only aid compliance, but will ensure sales teams are armed with the latest intelligence. There are yet further principles to comply with, but overall, it becomes apparent that if a business has control, visibility and confidence over the way it manages its data, it is likely to operate much more efficiently and successfully.
Prevention is better than cure
Compliance with GDPR and country specific data protection laws is only the beginning. The real measure of success for regulators will be the behavioral and cultural shifts that these laws should drive deep within our workplaces.
Employees are often an organisation’s biggest asset, but the most underutilized resource too. The human risk from inside an organisation today is real and immediate, with major breaches that hit our headlines increasingly resulting from stolen credentials. According to the Verizon Data Breach Investigations Report 2017, 81 percent of data breaches were caused by the hijacking of user credentials by hackers to gain access to internal systems and data. Protecting data effectively requires an organisation-wide change in mindset i.e. moving from a threat-centric security approach to a human-centric one. The human-centric security approach focuses on user behavior and intent, not just threats. It is cybersecurity that can be tailored to the unique identity and intent of an individual user by providing context for activity and flagging abnormal behavior. It is delivered by risk-adaptive protection solutions that integrate a broad spectrum of capabilities like DLP, UEBA, CASB and NGFW and understands different channels of interaction with users, data and networks.
As always, prevention is better than cure. But with when it comes to data security this is easier said than done. Carefree attitudes towards data protection in the workplace, combined with the blending of our work and personal information on devices, an actively mobile workforce and the growing use of cloud services, has seen traditional network perimeters dissolve and data visibility diminish. It is now more important than ever for enterprise and government organisations to take a human-centric security approach to aid the identification of and response to risks in real-time and, consequently, enable strong cybersecurity controls as well as employee productivity.
There’s still time to get business ready for these new laws. First off, don’t panic. Assess the true impact of these laws on your business. Every business will be impacted in a different way, depending on how they interact with data and what data they handle. Once you’ve established how you’ll be impacted, get clear on the priorities to ensure compliance and prevention. It’s helpful at this stage to think strategically about data flows in your business; how can you gain visibility over the flow of data in and out of your business? Consult our “The Need to Inventory Personal Data” guide to help identify solutions that will help in this endeavour and our helpful “Data Flow Mapping and Control” guide offers some tips. And prepare for the inevitable. Have a compliant plan in place to respond, and recover, to the breach within tight time constraints.
Lastly, businesses who view this new regulatory-era as an opportunity will be the ones who succeed. This is your chance to build a compelling business case to get data protection right, to adopt a holistic, organisation-wide approach, and get on with it. The sooner you do, the sooner you’ll reap the rewards.