The European Union's tough new data privacy law, the General Data Protection Regulation (GDPR), goes into effect on May 25, 2018. It's no big secret; cybersecurity and compliance experts have been sounding the alarm since the law was ratified in April 2016.
Yet, with a little more than two years to prepare, many enterprises that conduct business in Europe &mdash or are entrusted with the data of folks living there &mdash still aren't ready. And the risks of not complying with GDPR can be very severe should a business run afoul of European regulators, even if they aren't based in the EU.
Despite steep penalties for non-compliance, some organizations appear to be playing with fire, according to a survey from data protection specialist AvePoint and the Centre for Information Policy Leadership (CIPL). After polling 239 organizations, most of which have operations in Europe (89 percent), they found that only a little more than a third of respondents (35 percent) have a handle on the initial impacts of the regulation on their privacy initiatives.
Ahead of the May 25 deadline, eSecurity Planet asked industry experts how to address looming GDPR challenges. Here's their advice.
Risk assessments involve vendors, too
Your business may have performed a thorough evaluation, but does the same hold true for the IT vendors and service providers you depend on?
"How to properly assess risk management beyond your own organization and amongst your organization's trusted partners is critical for GDPR implementation," said Darron Gibbard, chief technical security officer and managing director of EMEA North at Qualys. "It's important for your organization to have appropriate agreements in place with third-party vendors for breach notifications."
Also keep a keep an eye on service-level agreements (SLAs) as they pertain to existing contracts. The ability to perform an end-to-end risk assessment of every vendor your organization uses is another major consideration.
Consider keeping data local
Where businesses store information on their users is becoming as important as how it's stored.
"The implementation of GDPR brings challenges around data sovereignty and compliance that push businesses to have full knowledge and control over where data is housed," noted Peter Waters, chief privacy officer and vice president of Legal for EMEA at Equinix. "In today's era of cloud computing, data is constantly in movement, making it difficult to be compliant with these demands."
Waters suggested "having a presence in data centers across multiple regions, as storing data locally minimizes the impact of these new regulations."
Get serious about data classification
It's time to take a hard look at your data classification processes. Are they robust enough to satisfy GDPR requirements? Is user information being properly identified, organized and processed?
"Data classification is an area of GPDR that requires a significant amount of work and assessment," said Gibbard. "Organizations need to do full inventories of their applications, collect appropriate consent and have mechanisms, such as automated consent from their data subjects, to continue collecting it moving forward."
Gibbard noted that GDPR is littered with rules governing how organizations document information that is collected on their users, or "data subjects" as they are commonly referred to in the regulation, without breaching user agreements. "It is critical to use their data in a way that's in line with collected consent. Because of all this, being able to track that data end-to-end across all your applications is an incredibly difficult problem to solve," Gibbard.
Although a challenge, implementing comprehensive data-tracking processes and technologies is not impossible. Gibbard believes that many enterprises will end up adding re-engineering applications and adding technical controls to existing business software to bring them into compliance.
Automation here is key, but not everyone appears to have received the message. The AvePoint and CIPL survey revealed that most companies are relying on manual data classification processes. Only nine percent of organizations use automated tagging in this regard.
Responding to GDPR data subject requests
Under the GDPR, organizations must furnish their users with a copy of their data if they request it. This must be done within a month and at no cost to the user.
There's some wiggle room, however. The deadline can be extended to three months for complex requests and organizations can charge a "reasonable fee" for additional copies of a user's data. Nonetheless, it's best to play it safe, Gibbard advised.
"Organizations that comply with GDPR must have a process in place for accommodating various data subject requests. Even though regulation isn't prescriptive in nature, the vagueness of it provides a lot of leeway for regulators," he said. "Using a best practice framework like SANS Top-20 around infosecurity controls and auditing will be critical for their success."
Gibbard advocates taking a "privacy by design" approach to implementing systems that touch user data. This enables organizations to efficiently respond to data subject requests or purge their databases when users invoke the so-called "right to be forgotten" or right to erasure provision.
Don't neglect physical security
Most discussions on GDPR concern safeguarding the privacy of user data with cybersecurity measures and data management and protection policies.
As vital as these are, businesses must also take into account the physical security of their data centers and the systems within, reminded Waters. "GDPR will require that data is protected by the highest possible standards. Along with integrated infrastructure security, physical security of the data centers plays a large role," Waters said.
"To meet the requirement for this integral part of data security, companies need to make sure that the servers that contain customer data, including personal data, are housed in a reliable facility," he added.