The European Union’s General Data Protection Regulation (GDPR) is scheduled to come into effect in May of 2018. While this is a regional regulation, the nature of today’s interconnected economies means that it has global implications. GDPR clearly establishes the rights of EU citizens to control their personal data, while imposing new responsibilities on organizations to protect that data.
New protections for personally identifiable information (PII) include an individual’s right to explicitly approve the usage of their personal data, as well as the “right to be forgotten,” which enables individuals to demand that an organization purge any personal data about them. In addition, it imposes a requirement that organizations publicly report any data breaches impacting EU persons within 72 hours of their discovery.
The EU intends to enforce GDPR through a series of stiff fines, sanctions, and injured-party compensations. These fines range from up to €10 million, or 2% of an organization’s revenue for minor infractions, to €20 million, or 4% of an organization’s revenue, whichever is higher. These regulations aren’t just for EU-based organizations. In fact, they apply to any organization doing business in the EU or with EU citizens, regardless of size or industry.
These new regulations are in line with the EU’s traditional practice of using high-profile cases and fines to get the attention of the marketplace. Traditionally, Europe and the U.S. have approached regulatory compliance differently; the EU regulates, while the U.S. litigates. Of course, GDPR is about much more than the penalties. This is also about protecting individuals, while ensuring that companies remain viable in today’s new digital economy.
We are in the midst of one of the most far-reaching evolutions in the history of the global economy, and it is primarily being driven by digital transformation. But cybersecurity needs to be much more than simply a defensive mechanism. It needs to be an enabler of digital transformation. To achieve this, organizations need to focus on building a comprehensive cybersecurity architecture that protects themselves and their customers regardless of where they conduct business, allowing organizations to securely expand wherever and whenever they need. This requires a security framework that can see and share threat intelligence, adapt to network changes, and automatically respond regardless of where a breach occurs.
Unfortunately, because most organizations do not have such a system in place, a significant number are not going to be ready to meet these new requirements. For example, a recent survey found that 61% of U.S. businesses have not even begun to prepare for GDPR, and that 50% will not be able to comply with GDPR when it goes live.
Part of the problem is that most cybersecurity solutions were never designed for the sophisticated threat landscape they now need to protect. As a result, weeks or months regularly lapse between an initial exploit and the detection of that breach. And because so much time passes, it can take further weeks to accurately assess the breadth and scope of a successful compromise that has managed to infiltrate deep into a complex and highly distributed network environment. Part of the challenge with compliance, therefore, is that because most cybersecurity solutions were never designed to gather, share, or correlate data, most forensic analysis is still done by hand. Changing this is going to require rethinking and retooling your cybersecurity infrastructure.
The other reality is that due to the sophistication and velocity of today’s attacks, breaches are going to happen regardless of whatever countermeasures organizations take. GDPR has set a 72-hour window to report data breaches without penalty. This means that organizations need to find solutions that move beyond the perimeter and deep into the core of the network, allowing them to uncover breaches as close to the time of infiltration as possible to minimize both the impact of an attack as well as any potential penalties for failing to see and report it. This also means organizations need to have technologies and policies in place that allow them to get out in front of breaches when they occur, such as backup and recovery strategies and dynamic network segmentation for rapid detection and remediation.
Rather than seeing these new regulations as challenges or barriers, organizations would be better off by viewing them as an opportunity to achieve competitive differentiation, as a way to drive digital trust of their brands. Consumer confidence is already being influenced by their perceived risk of conducting transactions with online businesses, or whether their personal data is at risk of being compromised or stolen. Meeting or exceeding regulatory requirements will go a long way towards assuaging those concerns.
The question is – where to begin? A security and data privacy assessment is a good starting point. This starts by understanding your business and brand—what you do, what your short and long-term goals are, and why customers, partners, and employees trust you. Next, you should identify and examine all of the elements of your business that are at risk. Finally, you should implement a risk management strategy designed to protect, detect, report, and respond regardless of where in your distributed network a security event takes place.
To that end, here are six things every organization needs to consider as they prepare to meet the new requirements of GDPR:
- Analysis needs to be both top-down and bottom-up. Top-down refers to understanding what the business is trying to accomplish, while bottom-up is about understanding what needs to be done in each functional business unit to secure operations, and how they can all be tied together into a single, coherent strategy based on unified visibility and control.
- Organizations continue to need basic blocking and tackling, including secure network perimeter and segmentation infrastructures. But, we can no longer afford for these solutions to operate in isolation. Tools must be integrated to share relevant intelligence in real time, collaborative in order to automatically respond to detected security events, and adaptive so that your security solution can scale as resources change or new networking ecosystems are adopted.
- Stop thinking about security as prevention. Ask yourself what you would do differently if you knew your network was going to be compromised. Then, prepare for the inevitable with the right detection, remediation, backup, and disaster recovery strategies in place
- Identify and understand what you need to protect — personally identifiable information and proprietary data, what you need to report, and what data you may need to quickly identify and purged (and, how you are going to do that.) This means that you must be able to see and track data in use, at rest, and in flight, identify breaches anywhere, and then identify, remediate, and report on them quickly and efficiently – even in a multi-cloud environment or on remote or mobile endpoint and IoT devices. Such an approach necessitates the development of a broad, integrated Security Fabric that is elastic enough to span your entire network, and integrated enough to enable near real-time detection and remediation.
- As far as regulatory compliance goes, stopping a threat isn’t enough. You must also be able to demonstrate compliance via governance measures such as documentation, logging, and continuous risk assessment. A centralized management, orchestration, and reporting system that can see and talk to every security device on your network, combined with security tools that use a common communications framework in order to share and correlate data, policies, and threat intelligence, are essential component to any compliance strategy.
- Finally, you need to integrate Advanced Threat Protection into your security paradigm. This goes well beyond traditional Next-Generation Firewalls. ATP solutions enable you to dynamically protect against unknown threats using strategies such as sandboxing, micro-segmentation, behavioral analytics, machine learning, and automation.
With GDPR scheduled to come into full effect this May, private and public-sector organizations across the world have no time to waste in taking actions to ensure they are ready to comply with these new requirements. The best way forward is through a comprehensive and integrated strategy that is able to see and track personal data, as well as prevent, detect, and remediate data breaches anywhere they may occur. This is a strategic approach that not only enables regulatory compliance, but will allow you to differentiate security as a value-added dimension of your brand.