Over the past 12 months, I've heard the word “compliance” thrown around quite a bit. Only now does compliance depend on what department or industry you are in. From ISO to General Data Protection Regulation (GDPR), compliance is now at the forefront of the requirements. More importantly, compliance is now being recognized by the boards, highlighted in many cases by the consequences (being fined) for not maintaining compliance.
One thing to remember is that it’s not always an IT problem. I don’t know how many times I have walked into a meeting and been asked by a customer what they need to buy. Take GDPR, for example. Out of 107 actions, only eight can be fixed by a purchasable IT solution. The rest is policy-driven, and this is where it gets complicated. To stay compliant, you need to make sure you have a management suite that can monitor the policies you have in place.
For this article, I am going to focus on one of the hot topics of conversation when it comes to compliance. The new European GDPR regulations. For many, this is a word that either causes confusion or panic. Please don’t panic! Don’t burrow your head in the sand. Talk to the experts! I may not be an expert when it comes to compliance, but over the last twelve months, I have learned a lot from listening and talking to partners and customers about their experiences. One of the big points I hear about over and over again concerns your foundations. Where does your business stand today in line with the new regulation? You must make sure you can clearly define or find the information you need to start. From hardware inventory, current security vulnerabilities, firewall policy and more important classification of your data. It is fine to have all these tools to monitor and protect against security threats and data breaches. However, if you don’t understand your data and how you use it you will struggle to understand and meet the GDPR requirements.
So, let’s take it back a step for anyone reading about GDPR for the first time.
The EU GDPR goes into effect May 25, 2018. It applies to all organizations processing the personal data of EU residents. The regulation will introduce a new way for organizations handle data protection and it will be enforced fairly. The penalties for non-compliance of GDPR can be up to 20 million euros or four percent of company’s annual turnover. In addition, data subjects get a right to claim for compensation against an organization under GDPR.
It is important to remember that a data breach isn’t necessarily black and white. You could have all the security and encryption layers you want, but you may still be breached from either an external intrusion or an internal intrusion. What has become clear to me is that you need to have a clear audit trail of data throughout the business, from tracking user activity to change control activities and everything in between. The reason this is important is that part of the GDPR regulation requires that you declare to the ICO or equivalent any data breaches within 72 hours. Having an audit trail that proves that you have adhered to all policies and procedures may help reduce any penalties imposed on your company.
Let’s stop and think about the IT elements for a moment. It’s all well and good that you can provide the audit trail once you have been breached, but what elements do you need to think about when you’re trying to prevent a breach? It’s not as simple as just encrypting everything. You should make sure you keep your internal system up to date with the latest patch, so make sure you have a good patch manager in place to monitor servers, end-user devices, etc. One of the other elements you need to keep an eye on is your firewall management. Make sure that this correctly patched, and, more importantly, that all policies are adhered to and implemented.
As I said at the beginning, I am not an expert on compliance, but these are thoughts and things I have picked up on over the past year. So, here's my call to action for anyone reading this: Make sure you understand your data, and remember that the hard part isn’t becoming compliant; it’s the challenge of staying there.