Organizations have less than six months to prepare for the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018. But rather than see it as a threat, it can provide a real opportunity to re-think data security.
GDPR replaces Data Protection Directive 95/46/EC. It has been designed to reconcile data privacy laws across Europe, protecting EU citizens’ data privacy and re-modeling the way organizations address data privacy. Non-compliant organizations face hefty fines, yet there are still many floundering.
According to a recent survey by the UK’s Technology Law Alliance, only 18 percent of UK and multinational organizations are "highly confident" that they will meet the deadline for GDPR readiness. The survey highlighted the main challenges organizations are facing, namely dealing with many systems on which data is stored and processed and the lack of internal resources and know-how about GDPR. However, 89 percent of respondents indicated that their organization was involved in some form of data mapping or data flow activity, yet only 41 percent had a detailed GDPR readiness plan in place.
GDPR readiness outside the EU
GDPR also applies to organizations located outside the EU if they offer goods or services or monitor the behavior of EU data subjects. Outside Europe, GDPR readiness is at various stages of recognition. A recent Pulse survey by PwC found that over half of U.S. multinationals maintain GDPR as their top data protection priority. In addition, 77 percent plan to spend upwards of $1 million on GDPR, spurred on by the potential 4 percent of global revenues. Other regions, such as APAC, have been slower to grasp GDPR. A recent study by Vanson Bourne showed that 56 percent of Singapore companies expressed concern about meeting the GDPR readiness deadline, while 60 percent in South Korea and Japan had similar worries. Russia and Africa are following similar trends as the Asia Pacific region.
Turning challenge into opportunity
GDPR should not be viewed as a problem or another set of legislative hoops for organizations to jump through. It can be an opportunity for businesses to get their data assets in order, create better business processes and make more informed decisions.
Becoming GDPR ready will help enterprises understand how data flows through the organization and thereby provide a foundation to improve how data is collected, stored, used and deleted.
“Organizations have accumulated large amounts of data over time, and now, this is an opportunity to improve operational efficiency and reduce exposure,” explains Cédric Prévost, Director for Cloud Security for Orange Cloud for Business.
According to Prévost, there are four elements organizations need to keep in mind regarding GDPR readiness: processes, tooling, people and control. Processes will require adequate security policies to be put in place, and tooling may be required to track data location storage (especially in unstructured data stores) and data accountability, he explains.
People are central to GDPR readiness working. “GDPR is a complex regulation,” says Prévost. “Your company needs to be able to prove business processes when dealing with data, so the fewer people and the tighter perimeter fence you have for accessing data, the more likely people will stay within GDPR goals.”
“It is paramount your people understand the way data is handled and protected and abide by your data control processes. To achieve this, people must have awareness and receive training regarding security and data protection,” he adds.
Prévost stresses the importance of remaining in control to achieve and retain GDPR compliance. “You need to be in control of what is happening at all times – your devices and your data at rest or in transit,” he explains. “Shadow IT raises a significant problem for GDPR, for example, as it makes it impossible to keep track of your data.”
GDPR in the cloud
Under GDPR, cloud users and cloud service providers share responsibility. But remember, it is ultimately your organization that is accountable for customer data in the cloud.
“If there is a data breach you will bear the full brunt of sanctions and fines, so it is critical that you work with a cloud provider you trust and take the time to assess if you are GDPR ready,” advises Joakim Karlsson, Cloud Sales Expert at Orange Cloud for Business. “The good news is that GDPR readiness will lead to better data management in the cloud.”
But this does not mean that you can rely on third parties to take care of your data security, as there still may be gaps in your organization left exposed, warns Karlsson.
GDPR compliance is not an option
According to Gartner, half of companies affected by GDPR will not be in full compliance when the directive is implemented in May. If you don’t want to be one of these, Prévost believes quick reactivity and immediate focus may help to be compliant on time. GDPR looks at how data is used, where it is stored and for how long, and for what purpose it is used. It addresses how individuals should be informed about their data, how to anonymize it or even how it's erased. “With such a broad spectrum, the very first step must be to carry out a data assessment or audit,” explains Prévost. This begins with scoping out your data to identify target data sources and stakeholders. “Once you know where data is located and what type it is, you can tag it as being sensitive or not, and check who can access it and how” says Prévost. “All this data may not already be fully compliant, but you will know exactly how much work needs to be done to achieve compliance.”
Running a comprehensive audit will not just start your GDPR compliance journey; it will also underscore your business processes and your wish to be a trustworthy data-driven business. “By achieving GDPR readiness, you will ultimately achieve better data management and thus even create value in your company. But remember – it is a continuous process and one that will carry on for the life of the business,” concludes Prévost.