By Neil Thacker, Information
Security & Strategy Officer
EMEA at Forcepoint
The clock is officially ticking for
organisations to get their data protection
policies in order, now that the General Data
Protection Regulation has been approved
and is set to replace the previous EU Data
Protection Directive.
The new regulation will come into effect in
2018 and will require businesses to put a
much stricter focus on data protection. The
headline
items
for organisations that collect or process EU
citizen records are:
They must notify their supervisory
authority of a data breach within 72
hours.
The subject will have the right to
retract consent, request data erasure
or portability.
They may face fines of up to 4% of
their worldwide turnover, or €20 million
for intentional or negligent violations.
These increased sanctions mean it is vital
that this new law be fully understood by a
number of key stakeholders within the
organisation, and that organisations start
preparing as soon as possible.
There are five key steps to help
organisations perform a basic assessment
of their current data protection strategy
and any potential gaps that need filling
prior to a more comprehensive view of the
GDPR.
Identify
The first task for any organisation must be
to identify whether they are considered a
data controller or processor. They must
review the relevant obligations that these
carry, such as issuing notice to citizens and
maintaining relevant consent from the data
subject.
Businesses should make it common
practice to regularly review existing and
new business processes to identify
Personal Identifiable Information (PII).
They should identify where this data
resides – whether it is at-rest, inmotion and/or in-use and
maintain a record of processing
activities and understand how this data is
protected.
Protect
Once PII has been identified, organisations
must then ensure they adequately protect
this data. Encryption and access control
are common control standards, but
managing encrypted data across multiple
business processes is a difficult task.
Data sovereignty and data lifecycle
management are key to helping businesses
ensure that EU citizen data is processed
and stored appropriately. In addition to this,
they also need to manage data flows to
approved third party processors, monitor
for accidental data leakage from negligent
or malicious employees and protect
against data theft from external agents.
Detect
If an organisation does suffer a loss of data
then it is vital to detect the breach and
identify if PII records were lost or stolen. If
they have, the business will be required to
notify the necessary authorities within 72
hours of the discovery to initiate a full
investigation.
The investigation will focus on identifying
the source and destination of the breach
through event and incident information
from Data Leakage Prevention (DLP) and
Data Theft Prevention (DTP) tools. Data
forensics will then help to pinpoint the
stolen data, at which time the business will
be required to issue notice to any affected
data subjects.