The one year countdown to GDPR compliance has officially began. For those of you still wondering what all the fuss is about, new research by Ponemon has revealed that public companies suffer on average a 5% share price drop immediately following disclosure of a breach. The EU General Data Protection Regulation (GDPR) will ensure there’s no room to hide: as of 25 May 2018, if you’ve been breached you must notify the Supervisory Authority within 72 hours of becoming aware, unless particular circumstances apply.
The Problem with Shadow IT
With a piece of legislation as broad and complex as the GDPR, it can be tough knowing where to start. An essential first step, however, is data mapping. This will help understand what data you’re processing, how and where it’s stored, who it’s shared with and how it’s protected. This is all information which you absolutely must know. After all, you can’t protect data if you don’t know where it is, what it is and how it’s currently controlled.
This is where things might get a little tricky thanks to shadow IT. Unfortunately, users will be users and many may have bypassed the IT function in a bid to work in a faster and more productive way. It’s important to bear this in mind as you begin your data mapping. Cloud-based services are a particular favourite: both consumer-grade and business platforms can be registered and set-up quite easily by employees. Either way they must be mapped, so pay close attention to data flowing out of the network to such platforms.
Once you know where the data is, Article 25 of the GDPR states that you’ll need to “implement appropriate technical and organisational measures” to ensure compliance. There are no prescriptive technologies mentioned in the regulation, aside from encryption and pseudonymisation, so much of it boils down to the “state of the art” and received best practices. For some UK firms currently complying with the Data Protection Act, there may in fact be little extra required, although just how little will depend on each organisation.
Data minimisation is one such best practice. Once you have classified what you store and process, it would be a good idea to go through and delete any non-essential customer data, thereby reducing your risk. As the GDPR states: “only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.”
Still, it can be tricky knowing if your technical controls are “appropriate” enough. To help with this, consider following an “approved certification mechanism” like ISO 27001. There are certainly areas in the GDPR which this internationally recognised standard doesn’t cover — such as the right to data portability — but when it comes to data security, it’s pretty well aligned.
This makes access controls a vital part of any GDPR compliance plans. We recommend risk-based, adaptive multi-factor authentication which can identify on the fly when log-ins seem risky and request more information from the user to complete authentication.
The research revealed a worrying disconnect between the expectations of customers and the priorities of IT professionals. For example, 73% of consumers polled said organisations have an obligation to control access to their information, yet just 44% of IT security practitioners agreed. Be in no doubt, however, European regulators will come down hard on any firm they believe hasn’t taken adequate steps to safeguard consumers’ personal data.
As key members of the compliance team over the next 12 months, IT has a vital role to play ensuring data is secured at all times according to best practices.
By Barry Scott, CTO EMEA at Centrify
JOIN US ON 12TH OCTOBER 2017 AT COMPLIANCE BRIEFING: LONDON - LEARN MORE HERE
COMPLIANCE BRIEFING: LONDON
12 OCTOBER 2017
COUNTY HALL, LONDON