The General Data Protection Regulation, or GDPR as it is more commonly known has been dubbed a landmark ‘win’ for data protection policy within European businesses. Replacing fragmented and disparate country-specific rules, the GDPR will set the standard for data protection across all 28 countries within the European Union. As it comes into force on the 25th of May 2018, European companies have less than two years to prepare their internal and external data protection policies accordingly.
What with the looming prospect of a Brexit (the UK’s potential withdrawal from the EU) on the cards too, there are questions being raised about whether UK-centric businesses will have to comply with the GDPR should it come to pass. However it is my view that whatever happens with the referendum vote, it is likely that the UK would still have to follow the GDPR. Should it come to Brexit, the UK may even need to conform as a prerequisite for entry into the European Economic Area (EEA) or a wider trade agreement. Also, the bar could be set higher, rather than lower since the UK would likely want to be able to reassure the EU that its data protection laws are adequate so as to not scare away foreign investment.
Due to many recent high-profile cyber attacks across Europe and beyond, it is no secret that organisations of all shapes and sizes are getting more savvy to cyber security risks, including breaches. One may assume therefore, that the security solutions in place today across the majority of UK organisations will be enough to comply with the GDPR, or equivalent, in 24 months time. Unfortunately, this is quite unlikely.
According to Code42’s 2016 Datastrophe Study, in which over 400 UK IT decision makers (ITDMs) were surveyed, 50% of them acknowledged that the security measures they have in place currently will not be enough to meet GDPR standards. With heavy fines that can be levied against businesses seen not to be doing enough to protect sensitive customer data—€20 million or up to 4 percent of global annual turnover, whichever is greater—it should encourage many businesses to rethink their cyber defence. Otherwise they run the risk of their data being ‘uninsured’ come 2018.
Pre-empt the regulation
Keeping customer and corporate data safe, especially to GDPR standard (or beyond), requires a current and practical InfoSec strategy that can lead to significant investment. Businesses need to have clarity into what effective security in the modern enterprise looks like, all within the context of how today’s employees work. This means not just thinking in compliance terms, but also thinking about securing and encrypting data wherever it resides, in global data-centres, on-premise or on devices themselves.
There are numerous ways in which data can be safeguarded, and many solutions exist in the marketplace which make bold statements promising bulletproof all-round protection from breaches and cyber attacks. However, there are no silver bullets in security. The focus is a “defense-in-depth” approach designed around root problem statements and measurable results. Today, businesses must adopt a whole stack of security solutions—from anti-virus programs, to breach detection solutions, to encryption tools, to modern endpoint backup and real-time recovery solutions. Additionally, teams are looking to optimise their investment’s technical footprint.
Also, focusing efforts on protection exclusively from external threats is incredibly short-sighted, yet is something many businesses are still doing. The insider threat from either disgruntled or unwitting employees is just as pronounced—and educating knowledge workers on the risks of poor data management is also something IT teams and CISOs should be actively pursuing.
The uncomfortable truth
Despite a robust combination of endpoint security tools that give businesses a fighting chance against certain cyber attacks, unfortunately it is still a matter of when, not if, a data breach occurs. It is essential that in such situations, businesses can identify, mitigate, recover, and report the breach quickly. This is especially important as one of the major directives of the GDPR is the need for a business to report any data breaches within 24 hours. The quicker the detection and remediation, the quicker the team can address the attack, and apply the lessons learned from the incident.
It is also imperative to take into account that modern employees treat and access corporate data more flexibly. In fact, according to the 2016 Datastrophe Study, IT decision makers believe that 42 percent of corporate data is now stored outside the confines of the traditional data centre, on employees endpoint devices. Mobile phones, laptops and tablets––they are miniature computers for the workforce keen to be connected anywhere and anytime. Third-party cloud solutions too often play an important part in an employee’s day to day life, but they have their security challenges relative to protecting sensitive corporate data. As a result, the enterprise’s cyber defence strategy needs to evolve to keep up with this shift in mobile computing needs.
The GDPR actually makes provisions for unstructured data, such as that managed by more consumer-grade cloud applications–which are often used by enterprise knowledge workers. Therefore, any security strategy built needs to be far-reaching and address how and where your employees access corporate information. It has to have data protection at its core to comply with the regulation. But, placing all your trust just in a well-protected data centre is equivalent to burying your head in the sand.
So what should you do? Pre-empt the regulations by implementing the right endpoint security stack, and train your staff accordingly. Create internal policies that promote accessibility and flexibility with approved solutions without locking the enterprise down to the point of stifling productivity. Fail to do this, then the GDPR will soon motivate businesses to get up to speed and build appropriate cyber defence structures—but it may have cost them a hefty fine along the way.