GDPR is coming. Here’s the information you need
General Data Protection Regulation (usually known as GDPR) is getting closer and closer and the new regulations will effectively determine how you handle all of your data. Are you ready?
You have until 25th May 2018 to seek out, test and implement technology solutions that will align your organisation with the new regulation.
Fear not! It is not impossible, though an immediate start is necessary if you want to fall in line with the new regulations by the deadline. The first step would be to familiarise and understand these 4 key points on GDPR.
Your identity will be your responsibility
Identity requirements are going to expand. Auditors are going to be looking for any weak, static and/or easily compromised credentials and will consider your company accountable.
Responsibility for securing, detecting and reporting a breach will fall entirely on your shoulders as well. To avoid any penalties, its best to ensure that you locate where all your sensitive information is and keep a record of all personnel who have access. Once this is done, it’s important to then implement (if you haven’t already) strong authentication between users and data.
Basic passwords aren’t going to cut it anymore
You have to go beyond passwords, though this is not a mandate for two factor or multifactor authentication per se, but it is worth noting that a static single password for all accounts is simply not secure enough for sensitive information. Any breach means not only a loss or corruption of data but could lead to heavy penalties from vigilant auditors.
Some organisations are using this opportunity to get rid of passwords altogether. In the coming months as you prepare for GDPR look to replace static passwords with more secure contextual and behavioural-based solutions that deliver a secure and more convenient experience to your users.
It doesn’t matter where you are in the world
Any organisation operating, storing or processing data within the European Union needs to be in compliance with GDPR on 25 May 2018.
GDPR extends to every and any organisation that handles and stores personally identifiable information (PII) of EU citizens or runs data through an EU data centre.
This could mean a wake-up call to companies in the US, Canada, Japan, Singapore, China, India and any other countries that assume that GDPR is not applicable.
Penalties for non-compliance with GDPR
GDPR has gained much attention simply from its strict fine regime. 4% of your global worldwide revenue or €25 million can be expected to be the payable fine for a serious breach.
Early indicators suggest that EU regulators are looking to the enforcement clauses of the GDPR in order to make early examples of any non-complying companies. Whether this is true or not, it’s definitely best practice to fall in line otherwise risk being one of the first companies to lose on reputation and revenue from GDPR enforcers.
In summary
The key is to start early and understand where your sensitive data is and to audit technology, and the current level of security awareness within your organisation. The next step is to act on any shortcomings in a structured manner, documenting any new procedures that staff will need to adhere to. It’s not going to be easy, but there is certainly still time!
You can find out more about what Browser is doing to comply with the GDPR rules in this blog post.