The clock is officially ticking for organisations
to get their data protection policies in order,
now that the final draft and approved text
have been made available for the General
Data Protection Regulation to replace the
existing EU Data Protection Directive.
The new regulation will come into effect in
2017 and will require businesses to put a
much stricter focus on data protection. The
headline items for organisations that collect
or process EU citizen records are:
They must notify their supervisory
authority of a data breach within 72
hours.
The subject will have the right to retract
consent, request data erasure or
portability.
They may face fines of up to 4% of their
worldwide turnover, or €20 million for
intentional or negligent violations.
These increased sanctions mean it is vital
that the final legislative text be fully
understood by a number of key stakeholders
within the business, and that businesses start
planning ahead as soon as possible.
To help them with that here are five key steps
to help organisations perform a basic
assessment of their current data protection
strategy and any potential gaps that need
filling.
Underpinning all of this is the fact, no matter
how big a company is, that businesses have
to begin thinking about their security in terms
of when they will face an attempted data
breach, rather than if. Only when businesses
accept this will they be able to plan and
execute successful security defences and
policies.
Identity
The first task for any organisation must be to identify whether they are
considered a data controller or processor. They must then review the relevant
obligations these carry, (such as issuing notices and obtaining consent), and
regularly review existing and new processes around PII. They can then discover
where this data resides – whether it is at-rest, in-motion and/or in-use – have a
record of processing activities and understand how this data is protected.
Protect
Once PII has been identified it must then be protected. Encryption and access
control are common control standards, but managing encrypted data across
multiple business processes is a hugely difficult task. Data sovereignty and
lifecycle are key, alongside data flows to third parties, monitoring for data
leakage from negligent or malicious employees and external data theft.
Detect
If an organisation suffers data loss then it is vital to detect the breach and
identify if PII records were lost or stolen. If so, the business must notify the
authorities within 72 hours of the discovery to initiate a full investigation.
The investigation will focus on identifying the source and destination of the
breach through information from Data Leakage Prevention (DLP) and Data
Theft Prevention (DTP) tools. Data forensics will help to pinpoint the stolen data,
so the business can issue notice to any affected data subjects.
Response
Incident response is critical to protecting EU citizen data. In addition to the
mandatory data breach notification requirement, organisations must also
ensure they have