GDPR Compliance: The Impact on Infosec in 2018 and Beyond



27 security pros discuss how GDPR will impact information security teams globally.

The General Data Protection Regulation (GDPR) will be replacing Data Protection Directive 95/46/ec in Spring 2018, meaning information security teams need to start preparing now to ensure that their organizations remain compliant when the new rules go into effect, or risk facing fines and stiff penalties. GDPR applies to all states in the European Union (EU) as well as any company that markets goods or services to EU residents. In other words, GDPR will have a far-reaching impact on global organizations.

What does GDPR mean for global information security teams, and how should they prepare for the upcoming changes? To gain some insight into the anticipated impacts of GDPR on businesses located in the EU as well as those who market goods or services to residents of the EU, we reached out to a panel of information security leaders and asked them to weigh in on this question:

"How will GDPR affect information security teams globally?"

Meet Our Panel of Security Professionals:


Thomas FischerThomas Fischer

@FVT

Thomas Fischer is global security advocate at Digital Guardian, based out of our EMEA headquarters in London. In addition to his role at Digital Guardian, Thomas is director of the BSides London conference.

The upcoming EU General Data Protection Regulation (GDPR) will be one of the strictest and most far-reaching data protection regulations ever passed...

Imposing tight data protection requirements and heavy penalties for non-compliance for any business around the world that collects or processes EU resident data. The goal of the GDPR is to harmonize data privacy laws across Europe, protect and empower all EU citizens’ data privacy, and reshape the way organisations approach data privacy.

The GDPR will be the largest overhaul to data privacy regulations that the EU – and much of the world – has experienced in the past 30 years. Its privacy requirements will be extensive and thorough, including the protection of EU citizens and residents’ personal information, such as data related to their health, genetics, biometrics, race, sexual orientation, and political opinions.

With GDPR coming into effect on May 25, 2018, any organisation handling EU residents’ data should be prepared to comply with stricter privacy regulations or be ready to pay up to 4% of their global annual revenue in fines or €10,000,000. This is a substantial stick carried for non-compliant companies, but the carrot for compliant companies is the increased customer trust and loyalty that can follow when companies demonstrate success in protecting EU citizens and residents’ personal data.

Unfortunately, many organisations can be slow to adopt to new changes like the GDPR and need to accelerate their efforts in order to ensure GDPR compliance before the deadline arrives. A shocking 52% of companies believe they will not be ready for GDPR enforcement and will end up paying fines! In order to avoid this it’s important to prioritize resources, processes, and people to ensure you are not only preparing for GDPR, but are also establishing an ongoing program that will eventually evolve into routine business operations.

Gaining executive leadership and stakeholder cooperation is the first step in complying with GDPR. Having board level buy-in from the beginning is critical, as is appointing an executive leader; preferably the CEO. GDPR isn’t primarily a security issue nor is it all about IT – it’s a business problem that relies on cross-departmental collaboration from all stakeholders to be successful. Appointing a strong centralized GDPR leader with a core GDPR team across business units is the first step in progressing toward GDPR compliance; however, the core GDPR project team needs to be accountable to the board and executive leadership teams, with direction coming from the top down.

There are many questions about the role of the data protection officer (DPO). GDPR only requires the appointment of a DPO by companies in limited cases, namely when the company’s core activities consist of the following:

  1. Data processing operations which require regular and systematic monitoring of data subjects on a large scale;
  2. Processing on a large scale of special categories of data, i.e., sensitive data such as health, religion, race, sexual orientation, etc., and personal data relating to criminal convictions and offenses.

Public authorities are always required to appoint a DPO under GDPR. In general, a DPO will be required if your company processes and manipulates personal data (e.g. banks, healthcare, credit companies), but if the company only has HR data they are not required to have a DPO.

Currently, the International Association of Privacy Professionals (IAPP) estimates that 28,000 DPOs are required in Europe in order to achieve perfect compliance by the May 25, 2018 deadline. The demand to fill the position will certainly increase as we move closer to the GDPR enforcement date.

When the GDPR goes into effect, the DPO becomes a mandatory role under Article 37 for all companies that meet these criteria. DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities (SAs) that oversee activities related to data collection or processing.

It’s important to note that DPOs do not need to be members of the organisation. The GDPR does not include a specific list of DPO credentials, but Article 37 does require a data protection officer to have “expert knowledge of data protection law and practices.” The Regulation also specifies that the DPO’s expertise should align with the organisation’s data processing operations and the level of data protection required for the personal data processed by data controllers and data processors. If you’re selecting an external DPO, ensure that they know and understand not only the data but also the business they are working for.

DPOs may be a controller or processor’s staff member and related organisations may utilize the same individual to oversee data protection collectively, as long as it’s possible for all data protection activities to be managed by the same individual and the DPO is easily accessible to the related organisations whenever needed. It is required that the DPO’s information is made public and provided to all regulatory oversight agencies.

It is recommended that organisations start evaluating potential DPO candidates now so they can determine if they meet the requirements while being a valuable addition to the GDPR stakeholder team. Start by looking for candidates within your organisation, as they have the best understanding of your business.

GDPR is fairly nebulous when prescribing solutions or technologies to achieve compliance; however, this is intentional. The GDPR is designed to accommodate new and emerging technologies, such as cloud-based systems, IoT, machine learning, and social networks. Many of these technologies weren’t available when previous data protection regulations – such as the EU’s Data Protection Directive of 1995 – were established, so the GDPR was designed to be flexible in how organisations can comply with its technology mandates. The downside is that this leaves many companies lacking guidance as to what technologies can help them speed or enable GDPR compliance.

It’s recommended to start with a visibility assessment of what data exists within your environment and what types of personal data – particularly GDPR-regulated data – you are collecting, handling, and storing so you can have a deep understanding of your risk exposure and prioritize further compliance efforts from there.

Whatever technologies you choose to adopt, it’s imperative to understand how they enable you to process personal data and put controls around that data, which include consent (opt-in), the right to be forgotten, transparency, and data portability, as users have the right to receive documentation of how their personal data is being used and stored.

While organisations are going through their GDPR compliance program and determining the impact the new regulation will have from a people, process, and technology perspective, some may find it more cost-effective to outsource to a managed security program (MSP) that handles the process for them. With the current dearth of IT security talent, this may become a more viable option for organisations who lack the internal resources and headcount but need to be compliant with GDPR.


Steve DurbinSteve Durbin

@stevedurbin

Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

"The General Data Protection Regulation (GDPR) will certainly have an international reach..."

Affecting any organization that handles the personal data of European Union (EU) residents. Any company holding a person's data that is moving across EU jurisdictions will be affected, even if the company is not located in Europe. This includes US-based organizations as well. The account holder/individual's data is still moving across the jurisdiction so they are responsible for it.

At the Information Security Forum (ISF), we anticipate that most organizations will need to designate a Data Protection Officer (DPO), with the International Association of Privacy Professional's (IAPP) research suggesting a requirement for up to 75,000 new DPOs worldwide. This likely shortage of qualified individuals, coupled with the length of typical corporate hiring cycles, means that an organization that has yet to designate a DPO should either start recruitment now; identify an internal candidate and start training them; or seek external expertise to fulfill the role requirements.

The GDPR is putting data protection practices at the forefront of business agendas worldwide. For most organizations, the next 12 months will be a critical time for their data protection regimes as they determine the applicability of the GDPR and the controls and capabilities they will need to manage their compliance and risk obligations. Because of the effort required to report data breaches, it is absolutely essential that organizations prepare in advance. For many, this will require a more coherent incident response process along with closer cooperation between multiple departments, in particular legal. This coherence is essential, as Data Protection Authorities (DPAs) will want to see a transparent rationale for remediation actions taken in response to a data breach.

With reform on the horizon, organizations planning, or already doing, business in Europe, should get an immediate handle on what data they are collecting on European individuals, where is it coming from, what is it being used for, where and how is it being stored, who is responsible for it and who has access to it. Don't wait for reform to be instituted. By that time, it will be too late.


Rita HeimesRita Heimes

@PrivacyPros

Rita Heimes, CIPP/US, CIPM, is Research Director at the International Association of Privacy Professionals. She is an attorney and academic with many years of experience in the fields of privacy, information security and intellectual property law. In her role, Rita helps to promote the privacy profession through empirical and qualitative research on privacy functions globally.

"One of the biggest global impacts the GDPR will have is..."

The appointment of Data Protection Officers (DPO). As part of compliance, companies that process data on a large scale should appoint a DPO to participate in privacy and security decisions and be involved in incident response teams. The IAPP has estimated that at least 75,000 DPOs will need to be appointed globally.

Additionally, we've seen that companies are investing resources in vendor management which is a significant data security concern. This includes updating security technology which can be a hefty cost. The cost of technology will vary based on the type of data that the company handles. For instance, a company that handles sensitive data such as ethnic origin or health history will require the highest-level of security controls.


Michael FiminMichael Fimin

@TrueCalifornian

Michael Fimin - the accomplished expert in information security, CEO and co-founder of Netwrix, a provider of a visibility and governance platform that enables control over changes, configurations and access in hybrid cloud IT environments to protect data regardless of its location.

"In 2016, it was announced that the General Data Protection Regulation was finally approved by the EU Parliament..."

Now there's a little under a year left before the day GDPR will be enforced - 25 May, 2018. Although the new regulation will mainly affect individuals and organizations within European Union, it will also affect U.S. companies, as the new privacy model applies to any enterprise in the world that targets the European market or profiles European citizens. In fact, all companies processing EU personal information will have to comply with the new regulation.

Security teams in the U.S. have to note that protective measures added to GDPR, such as fines for non-compliance, the right to be forgotten and the need for explicit agreement to collect personal data will require organizations to revise their data privacy and compliance programs. Here are the steps security teams should do to get prepared for the GDPR:

1. Develop a data privacy program, which will require an organization to collect and retain personal information only to the extent necessary (e.g., adhering as closely as possible to the European Union's purpose limitation requirements).

2. Appoint a knowledgeable data protection officer or a chief privacy officer to oversee the company's privacy practices and ensure compliance with both domestic and international regulations.

3. Document and explain the legal basis for collecting, storing and processing personal data in your privacy notice to comply with the GDPR's 'accountability' requirements.

4. Have visibility into critical data (e.g., what data you hold and who you share it with), as well as review contracts with third parties that process or maintain collected personal information to ensure proper safeguards and mitigate security risks.

5. Ensure that there are updated and tested data breach response policies and programs to provide timely notification to regulators and consumers in the event of a data breach.


Adrian DavisAdrian Davis

@adrian_adavis

Adrian Davis, CISSP, heads the Europe, Middle East and Africa (EMEA) team for (ISC)2, the global, nonprofit leader in educating and certifying information security professionals throughout their careers. Before joining (ISC)2, Adrian led the Leadership and Management Group for the Information Security Forum. Adrian is an active participant in ISO and has assisted in the development of several information security standards within the ISO/IEC 27000 series on supply chain security, professionalism and cyber insurance and is also leading initiatives to embed information security into education, working across the UK and Europe.

"The first thing international security teams must to appreciate is..."

That they should be looking to comply with the entirety of the legislation. Companies outside of the European Union (EU) may fall into the trap of believing that they may only need to be concerned about protecting the transfer of data outside of the EU and the security of this data within their systems. The legislation goes much further to give individuals rights that they have never had before and to set foundations for fairness as companies take advantage of the vast amounts of data they collect while doing business in a digital economy.

As an international nonprofit membership association with over 120,000 certified cyber, information, software and infrastructure security professionals around the world, (ISC)2 is working through its EMEA Advisory Council to benchmark progress and share global experience with GDPR implementations. Their work highlights that GDPR compliance must involve the entire organisation. GDPR goes well beyond the remit of security teams and involves legal, marketing and HR; in fact, GDPR applies to any function that handles personal data (including the personal data of staff, contractors, suppliers and customers), and each team cannot work alone. Once companies understand this, they can begin to structure a plan for compliance that will meet the obligations in GDPR.

Companies must begin by developing an understanding of what really matters to their business or organisation. Any company that currently holds and works with personal data of EU citizens today should be instructing every department to ask some basic questions around how and why they collect and use this personal data and the value it has to a given function or product line, before they consider what is needed to ensure they can continue to work with it. Such an approach will inherently allow the development of a business case for the changes ahead and motivate the support required to devote the resources and budgets to enable the change.

At the outset, GDPR may look like an imposing and costly exercise, but the value for business and economies has the potential to be enormous for those who get it right. Companies today collect vast amounts of data, despite the fact that a growing body of research shows that they do not understand or derive value from more than half of it. GDPR can be used to create opportunity by cleaning house, honing processes to collect the right information at the right time, and developing a stronger bond with the customers we collect it from. Simply put, it is an opportunity to take stock and make improvements.

International businesses that trade with the EU will need to comply with GDPR, and, I suspect may want to look at how they manage the personal data for all customer and supplier relationships, not just the European ones.


Ken SpinnerKen Spinner

@varonis

As Vice President, Ken is responsible for all pre and post-sales engineering activities. In this position, he oversees all field technical activities with customers and partners, focusing on driving customer success through consultative pre and post-sales engagements. Since joining Varonis in 2006, Ken’s team has helped customers develop industry-leading Data Governance strategies and implementation plans, resulting in significant risk reduction and operational efficiencies. Mr. Spinner's career spans 28 years with previous leadership roles at Neoteris/Netscreen (acquired by Juniper), BlueCoat Systems and Merck and Company. He holds a Bachelor of Arts degree from Rutgers University.

"One way to think about GDPR for information security teams is..."

That it simply legislates a lot of common sense data security ideas, especially from the Privacy by Design school of thought: minimize collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle.

These principles should be applied to any kind of personal information or other sensitive data; however, the 4% of global revenue fine for GDPR will make sure information security teams globally search their networks for EU specific personal data, regardless of their company’s office or server locations. One of the biggest misconceptions is that non EU companies, even UK companies post Brexit, do not have to comply with the GDPR. I hate to break it to them, but if they’re a global organization that collects EU citizen data, then they must comply.

Searching for and classifying regional specific personal data is not new or foreign. Even now the EU falls under the Data Protection Directive and many other countries have similar initiatives. South Africa will be instituting a new regulation under PoPI and in the U.S. there’s PCI, HIPAA and countless state regulations. In order to meet these new regulations or even determine if you need to meet them, every organization should create an asset register of sensitive files that fall under these regulations, understand who has access and who is accessing it and determine when data can and should be deleted.

Information security departments have their work cut out for them; in the recent 2017 Varonis Data Risk Report, 47% of organizations had 1,000 or more sensitive files (personal data, IP, financial, etc) open to every employee – that’s a lot of sensitive data that could be exposed.

Overall, the message for global information security teams who must comply with GDPR is that awareness of your data — where is sensitive data stored, who is accessing it, and who should be accessing it — will now become even more critical.


Michael BruemmerMichael Bruemmer

@Experian_DBR

Michael Bruemmer, vice president Experian Data Breach Resolution Group, has more than 25 years' experience working with data breaches and has taken a keen interest in the impacts of GDPR.

"With GDPR going into effect May 2018..."

Information security teams will be faced with numerous changes regarding the processing of data. Perhaps one of the biggest changes for European companies and companies selling goods or services to individuals living in the European Union (EU), will be the new data breach notification laws. Here are four factors information security teams will need to consider as they plan for and respond to a data breach:

1. Understand the risks – GDPR doesn't just impact European companies, any company outside the EU offering goods or services to individuals in the EU is also subject to the new regulations. Information security teams will need to understand exactly what information their company is collecting on EU consumers, and if the exposure of that data could fall under the GDPR's definition of a personal data breach.

2. Rapid response – With the new 72-hour notification mandate, security teams will need to be prepared to react to a breach quickly. The best way to have a timely and effective response is to develop a breach response plan that provides guidance on whether the authorities and/or customers need to be notified. Given the timeframe, it is also crucial that the plan includes a procedure for internal communications, investigating the breach and standing-up a multinational response team.

3. Multinational response team – One of the most challenging issues information security teams may face with GDPR is planning for and standing-up a multinational response team, including legal counsel, communications professionals, data breach resolution providers and forensic experts. During the planning phase, the team should work with their legal counsel and data breach response vendor to identify international partners. This team can help the company understand local laws and customs, translate notification letters, set-up multi-lingual call centers and effectively communicate with an audience that may not be used to receiving a data breach notification.

4. Thinking beyond GDPR – There are numerous aspects of consumer protection and brand reputation that information security teams will need to consider that are not laid out by GDPR. For example, will the company offer consumers identity protection products? How will they plan to engage with regulators before, during and after a breach? Thinking beyond the new regulations will help the team play a vital role in not only securing data but in maintaining consumer trust and brand reputation.


Andy MillsAndy Mills

@appliedriskman

Andy Mills has held senior positions in BT plc, Concert Communications Ltd and was a founding member of Infinity SDC Ltd, an innovative data center company. In February 2014, Andy formed a new company called Applied Risk Management Ltd to focus on Governance, Risk and Compliance and become a freelance management consultant and ISO auditor. Andy conducts ISO audits on behalf of UKAS accredited certification bodies and also helps organizations gain ISO certifications.

"The new General Data Protection Regulation (GDPR) will be enforced in the UK and across the EU with effect from 25th May 2018..."

GDPR will impact organizations globally if they have an establishment within the EU or they process data about EU citizens (data subjects) in connection with offering them goods or services or monitoring them, in particular through online profiling.

GDPR applies to data controllers and data processors alike, so organisations' information security teams must determine what data the organization holds, know where it is held and risk-assess it, then put in place appropriate controls to ensure compliance with the broader and more onerous data protection requirements in GDPR. Public authorities and organizations that process large amounts of personal data must appoint a competent Data Protection Officer (DPO). This takes time and effort. The cost of not doing this now, in advance of May 2018, is the punitive penalties written into GDPR. One of the more challenging new requirements is the obligation to report a data breach within 72 hours of becoming aware of it. Therefore, an incident response capability is required. Complying with GDPR is not a one-off task; it must become the new norm.

The onerous requirements within GDPR requires impacted organizations in the UK, EU and globally to have a management system that ensures compliance. Article 42 of GDPR recommends that organizations implement and gain certification for an information security management system. Although not the complete answer, gaining certification against ISO/IEC 27001:2013 helps organizations maintain an effective information security management system that goes a long way towards achieving and maintaining compliance with GDPR.


Carlos PelaezCarlos Pelaez

@VMware

Carlos Pelaez is the Global Cyber Strategist for VMware, a global leader in cloud infrastructure and technology virtualization. He interprets global requirements around compliance and cyber risk with the goal to enhance VMware products to meet customer needs.

"Data protection will be evolving under GDPR..."

It will expand the responsibilities of the security team to include management of where data is stored and the path it traverses. Data will not be allowed to leave the boundaries of the European Union (EU), and the responsibility for its protection will require the creation of a Data Protection Officer. This elevates the governance that supports data management. Security teams will be tasked with mapping the data flows and ensuring that the applications and 3rd parties that use the data are adhering to the same security standards. The role of a security team will expand as a data custodian supporting GDPR from a security perspective. Security teams will need to work closely with data business owners to ensure that the security capabilities within the security team align with the data governance framework.

Finally, the global impact will be seen the most by the European based teams. GDPR will impact countries that are part of the EU and the data that belongs to the constituents of the EU. The challenge will be for teams located outside of the EU that manage EU data. The potential to use virtualization to control data flows and apply strong policies that restrict its movement should be integrated into a larger data security architecture. Security teams should evaluate technology architecture solutions that will help support the evolving data governance required by GDPR. The potential to enhance data security and for security teams to help shape the future of the security architecture is a unique opportunity that should bring all parties together.


Ankur LaroiaAnkur Laroia

@ankuronEIM

Ankur Laroia serves as Leader - Solutions Strategy at Alfresco, where he leads, guides and directs the application of the latest Enterprise Content Management and Business Process Orchestration technologies and frameworks with respect to developing transformative strategies and models that support the use of computational technology to gain competitive efficiencies and achieve successful business outcomes.

"GDPR is the biggest change to the regulatory landscape of data privacy in the EU..."

GDPR brings with it the notion of extended jurisdiction, meaning that it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company's location. GDPR makes its applicability very clear - it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU.

This statute has lingering implications for global organizations and their security teams, as they have to inventory, curate and protect the personal data of EU citizens all across the globe. The hardest pieces to this relate to the inventory and curation of this data and there are siloes of this information scattered across file shares, content management systems and collaboration systems in concert with line of business applications and ERPs. Without having a well-defined information management strategy and platform in place, getting compliance with GDPR is next to impossible as most CISOs do not have a good handle on the inventory of sensitive assets in the computing enterprise. Penalties for non-compliance or compromise of personal data will result in either a 4% fine of total turnover or 20 million euros (whichever is greater), therefore this is a pressing matter that most global entities need to tend to and currently lack the platforms to do so.


Mike MeikleMike Meikle

@Mike_Meikle

Mike Meikle is a Partner at SecureHIM, a healthcare security consulting and education company. SecureHIM provides cybersecurity training for clients on topics such as data privacy and how to minimize the risk of data breaches.

"The General Data Protection Regulation (GDPR) is..."

Very similar to the U.S. NIST, PCI DSS, and HIPAA data security standards. Like U.S. HIPAA or PCI rules, GDPR lays down a foundation of data security and privacy requirements, how consumers can access and transfer their data, fines and penalties and how GDPR applies to EU member states.

GDPR will impact information security products and services globally. Security vendors will have to incorporate GDPR standards into their products and InfoSec professionals will have to be familiar with the various privacy and security rules within GDPR.

Information security professionals must have more than a passing knowledge of the various rules and regulations that impact the management of the enterprise data in their charge. InfoSec pros must be familiar with local, state, federal and international privacy and security guidelines that govern the confidentiality, integrity and availability of the data they protect. Knowledge of legal and regulatory frameworks is becoming as important a skill as proficiency in the security technologies they use to protect sensitive data.


Ashwin KrishnanAshwin Krishnan

@HyTrust

Ashwin is the SVP of Product Management and Strategy at HyTrust. Previously, he held roles at Versa Networks, Juniper Networks, and Nokia. Ashwin frequently speaks at industry conferences and blogs on security, cloud, SDN & NFV. He also co-authored a book on Mobile Device Security for Dummies published by Wiley.

"GDPR officially goes into effect on May 25, 2018..."

And is sending many IT security teams into a tailspin. Uninformed or poorly informed teams mistakenly assume that this affects only European organizations, but this is far from true. Any organization that has operating entities, partners or has any exchange of digital data to and from the EU is now subject to this. This means every organization in the world that transacts with any European organization is impacted. And the penalties are enormous – 4% of worldwide revenue or 20M Euros – whichever is higher.

It will be critical for IT security teams to show data compliance, by demonstrating that how data is collected is lawful, fair and transparent. It needs to have a specific purpose for collection, and only the minimum necessary amount can be collected and must stored in an approved location. The data needs to be accurate, and any inaccuracies need to be eliminated – data needs to be kept for the minimum period only. The data needs to be maintained with integrity and confidentiality. And most importantly there needs to be accountability about how all the above has been achieved.

Furthermore, as an individual there are rights afforded by GDPR. This includes, upon request, providing transparent information and communication, demonstrating promptness in the response, providing access to any personal data that has been collected with a process to withdraw consent if the individual chooses, rectification of any inaccuracies noted, the catchy "the right to be forgotten" – a.k.a. erasure of any data collected and communication once this is completed, providing all data collected in a portable format, raising objections for data collection and processing, and finally, objecting to automated data processing.

The task may seem daunting to many IT security teams, and will only become worse as the deadline approaches. Organizations should assess their GDPR shortfalls and assess alternative solutions which address the aforementioned concerns and the requirements of the GDPR. These may include those that address data monitoring, ensuring data stays within a geographical boundary, ensuring the data is encrypted with the keys stored in a separate location, revocation of keys, shredding of keys to ensure the data is not accessible, and providing a detailed audit trail for any and all operations performed.


Pascal GeenensPascal Geenens

@radware

As a security evangelist for Radware, Pascal helps execute the company's thought leadership on today's security threat landscape. Pascal brings over two decades of experience in many aspects of information technology and holds a degree in Civil Engineering from the Free University of Brussels.

"The GDPR will have a big impact on organizations..."

Most have a large gap to close on the identification, access control, and tracking of personal information data flows within the organization and its boundaries, as well as when it comes to protecting any personal information from falling in the wrong hands or from leaking outside of the company through shadow IT, email, data carriers, or others. A big concern will also be erasing all this private information upon request by the subject. Backups especially - consider more traditional off-site backup systems using portable storage. How does one make sure that every bit of personal information that was ever stored is erased from all backup tapes, for example?

The GDPR introduces punitive measures for organizations that suffer a breach or cannot demonstrate compliance to the regulation. Supervisory authorities also have investigative and corrective powers to undertake on-site data protection audits and issue public warnings, reprimands, and orders to carry out specific remediation activities. The right to have control over its private data also gives power to the individual to raise claims when the organization is not able to comply with his or her request within the set time frame.

Notwithstanding its challenges, in my opinion the GDPR is a necessity to get back on top in the fight against cyber-crime. The sheer number of records breached each year is growing, the prices for personal records on the dark net only but motivates the darkest actors to play the game and hunt for our private data and personally identifiable information. If the GDPR is able to level up, even if only by a small amount, it will be a big step in the war against cyber-crime.

I also expect bad actors to help in the adoption and enforcement of GDPR. Any company that is not compliant and gets breached by a hacker can be sure to withstand a serious ransom demand much larger than what we could expect today. Hackers know the fines related to non-compliance with GDPR and will be able to leverage that against companies that get breached to increase their demands in a ransom attack.


Willy LeichterWilly Leichter

@WillyLeichter

Willy Leichter is Vice President, Marketing at CipherCloud. Willy brings over 20 years of experience helping Global 1000 companies meet security and compliance challenges within their networks and in the cloud. He is a frequent speaker on cloud and IT security issues in online events, and at industry conferences globally.

"The GDPR will have a large global impact because it claims extraterritoriality..."

The EU defines it as covering the privacy of European citizens or residents anywhere in the world. While that might be difficult to enforce outside of Europe, any global business with European customers will be forced to comply – effectively it becomes a global standard.

Beyond the global reach the GDPR raises the bar for privacy in a number of ways – broader definition of personal data, requirements to anonymize some data, breach notification, appointment of privacy officers and following emerging industry best practices for security.


Justin DavisJustin Davis

@CenturyLinkBiz

Justin Davis is a Technology Sales Leader for Enterprise Business residing in San Francisco, CA, specializing in Data Security, Disaster Recovery & Business Continuity and Predictive Analytics.

"Information Security teams and steering committees need to consider the enterprise in its entirety at all times..."

This is especially true for businesses operating at the global scale. GDPR highlights this need, as global companies need to consider a decentralized approach to security management in order to allow the business units to be adaptive to the unique changes and requirements of different countries. Global organizations that structured their security management with a centralized design may find it difficult to quickly and adequately respond to these changes without causing burden on the business.


Pravin KothariPravin Kothari

@ciphercloud

Pravin Kothari is the CEO and Founder of CipherCloud.

"We expect the GDPR to have a huge impact on security teams for any multi-national organization..."

While the law has similar principles to previous EU Directives, it substantially raises the bar in terms of private information covered, claims of extraterritoriality, breach notification, the right to be forgotten, and enormous potential fines for violations. The law also puts much more responsibility on the data controllers to proactively implement security best practices, monitor customer information, and use pseudonymization techniques such as encryption or tokenization to protect sensitive information. This will be especially challenging for many organizations that are moving infrastructure and applications to the cloud, where they will have less visibility and control, but still be fully responsible for the data they put in the cloud.


Rishi KhannaRishi Khanna

@rishikhanna

Rishi Khanna is a passionate entrepreneur and CEO. He leads ISHIR, a global offshore technology organization & other high growth companies. Rishi has been part of the outsourcing industry since 1999 and has successfully implemented strategic outsourcing & offshore programs in IT, Cloud, Mobile/IoT, BPO & Digital Marketing functions.

"General Data Protection Regulation (GDPR), a new EU law focused on data protection, was published in 2016 and will come into full force on May 25, 2018..."

While there is still some time for it to come into force, there is a lot of concern around it, especially for the organizations. GDPR reinforces the rights of data subjects. Organizations which have "any information relating to an identified or identifiable natural person (‘data subject’)" will get impacted due to GDPR as they need to be compliant.

While most organizations think they are already compliant, GDPR has a number of new regulations in the interest of EU data subjects. The non-compliant will have to pay heavy fines and penalties as soon as it comes into force.

The information security professionals in affected organizations will have to take charge of ensuring GDPR compliance. To brief it up, there has to be complete and serious focus on the following aspects:

  • GDPR requires that data processors and controllers meet much stricter compliance requirements to ensure data security.
  • GDPR imposes stricter obligations on data processors and controllers with regard to data security.
  • Every effort should be made in the direction of technical and operational measures and GDPR also gives a directive to protect against the risks of data leakage.
  • Pseudonymisation and encryption of personal data becomes critical.
  • Quick restoration of personal data (in case of any technical or physical incident).
  • Regular testing of all the technical and operations measures that have been implemented.

Organizations may use tools to demonstrate compliance and adherence to security standards as per GDPR. And now to answer the big question: Will it impact the organizations outside EU?

Yes, it definitely will. GDPR applies to any organization that holds or processes data on EU citizens, regardless of where it is headquartered.


Alexander PolyakovAlexander Polyakov

@sh2ker

Alexander Polyakov is the Founder of ERPScan, President of EAS-SEC.org project, and an Official Member at Forbes Technology Council. He is an expert at security for business-critical software such as ERP. He has received due recognition having publishing over 100 vulnerabilities, as well as multiple whitepapers, such as the annual, award-winning "SAP Security in Figures." He has presented at more than 50 conferences in 20+ countries.

"The steps I recommend taking in order to be GDPR compliant are the following..." 

  • Audit your entire environment to see where all the personal information is stored.
  • Determine which users, roles, and groups have access to this data.
  • Restrict access to personal data if needed.
  • Detect and fix misconfigurations and vulnerabilities which can be used to get unauthorized access to it.
  • Monitor security of your systems on the regular basis.

As you can see, there is nothing that comes at odds with standard actions aimed at protecting business-critical applications.


Andrew BurtAndrew Burt

@ImmutaData

Andrew Burt is the Chief Privacy Officer & Legal Engineer at Immuta, the unified data platform for the world’s most secure organizations. He is also a visiting fellow at Yale Law School’s Information Society Project. Previously, Andrew served as Special Advisor for Policy to the head of the FBI Cyber Division.

"The GDPR is the most forward-leaning data privacy and security regulation on the planet..."

If you work with data generated in the EU, the GDPR applies to you. For information security teams specifically, there are a host of provisions they need to be worried about. Some mandate increased standards for cybersecurity, and others impose mandatory reporting requirements for data breaches involving personally identifiable data. The most interesting effect of the GDPR on cybersecurity, though, will be long-term—and isn’t as frequently a subject of focus.

The future of cybersecurity is in machine learning — we generate too much data, at too high a velocity, and with too great an attack surface to detect threats with human intelligence alone. We need the scale and the speed of machine learning, which is predicated on finding patterns in "big data." And the GDPR has a huge impact on how organizations can store data and conduct data analysis, from purpose restrictions on data, to requirements to explain automated decision-making algorithms, to a range of other restrictions on processing data generally. If the future of cybersecurity lies in machine learning, the future of machine learning in global organizations will be defined, in large part, by the GDPR.


Jerry HutchesonJerry Hutcheson

@jerry_hutcheson

Jerry Hutcheson is a speaker, a consultant, and a writer, evangelizing in the field of cyber security. He has worked in this industry for almost 30 years and has extensive experience with some of the largest and most well-known IT companies and service providers. He has publicly spoken at dozens of different industry functions, written hundreds of articles, and is finishing up a book written specifically about cyber security for corporate management which will be out later this year.

"I believe the GDPR is the first in a series of all-encompassing regulations..."

That we are going to see in the IT industry as a whole. Actually, there is a precedent for GDPR and that is the PCI structure that was put into place a few years ago by the big banks to gain control of credit card fraud and theft. It has similar mandates, rules, and even fines for non-compliance.

It is just a matter of time before we see these types of regulations for other countries and other economic alliances. The GDPR is designed to put the onus of protecting data on the back of the IT organizations handling the data. And I believe this will be a pattern. You will see this more and more as cybersecurity issues continue to grow. Governments are going to force companies to do the hard things they have not been willing to do on their own.

What this means for information security teams is that they will begin to feel more pressure on them as they are forced to comply with these regulations. There will be a continuing growth in cybersecurity as a focus of the IT organization. And this will put a strain on the already overworked and overtaxed information security teams. Combined with the gross shortage of qualified cybersecurity professionals, it will put serious pressure on these organizations. There needs to be updates in training and additions to personnel at these organizations today to cope with the increased mandates coming. If they do not have a DPO they need to find one, if they do have one they need to make sure he is qualified. Cybersecurity is about preparation in order to avoid the security disaster and the impending fines coming down the road.


Donna TaylorDonna Taylor

@DonnaTaylor_exp

Donna Taylor has 20 years experience in the IT industry. She has worked at IBM, Gartner, IDC, and Ford Motor Company. She has extensive global experience in corporate development & strategy, M&A, venture capital, consulting, market research, and competitive analysis.

"The new EU GDPR outlines..."

Enhanced personal data protection requirements for any and all businesses collecting the personal data of any EU citizen, regardless of whether or not the company is considered to be doing business with EU citizens. Instead, the mere act of collecting EU citizens' personal data is sufficient for this Reg to apply. The various provisions in the new Reg will affect information security teams globally in the following ways:

1) New IT solution purchases (hardware and software) should require additional scrutiny from the firm considering those purchases, because the deployment of new(er) technologies could potentially put personal data at risk in a way that existing infrastructure does not. This provision is covered in the section regarding the Data Protection Impact Assessment (DPIA).

2) Data Controllers and by extension, information security teams should thoroughly vet firms to which the actual data collection and processing may be outsourced or subcontracted as this action does not alleviate the Data Controller from liability. The Reg states that a firm cannot avoid liability via outsourcing and/or subcontracting the collection and processing of personal data. The liability will always remain with the firm for whose benefit the data is collected and processed. While other firms may be jointly and severally liable, the Data Controller cannot avoid liability in this way. Since the Reg's financial penalties can be severe, it would be wise to choose third-party outsourcers carefully and to include specific contractual Ts & Cs outlining processes and procedures for the protection and security of personal data.

3) Information security teams should specifically outline processes and procedures to be followed in the event of a data breach. Ironically enough, this is even more important under the new Reg's guidelines, because not all data breaches must be reported to the Supervisory Authority within 72 hours of detection. Therefore, I recommend the establishment of a flowchart, which details the protocols to be followed under different sets of circumstances.


Waqas KhanWaqas Khan

@Waqas_tweets

Waqas Khan is an Information Security Analyst for PureVPN.

"GDPR will no doubt achieve its goal..."

Of prompting businesses and information security departments to deploy better cyber security infrastructure to protect valuable customer data. However, there is a lurking danger of targeted cyber extortion where cyber criminals are going for a more sophisticated form of ransomware and targeting higher level information security executives. This accounts to phishing with a rod rather than a net and adapting to tighter security measures put in place by companies. The attacks include demanding higher ransom by criminals as they know that businesses might elect to pay off ransom to avoid a black dot on their reputation, and also that these executives have access to more complex and vast amount of customer data and have decision making power in hand.

Consequently, it's now necessary for the information security teams to develop more complex and serious defensive measures to avoid a situation where they would have to choose between paying unwanted ransom or a hefty fine.


Tom KellermannTom Kellermann

@TAKellermann

Tom Kellermann is the CEO of Strategic Cyber Ventures and is a 20-year cyber expert. He was previously the CISO of Trend Micro.

"The definition of protection will evolve beyond compliance and encryption..."

This regulation will force the establishment of a dedicated C-level officer who will finally oversee security. This is a tectonic shift. Security protection will no longer be an IT problem but a governance priority. Hopefully, corporations will elevate their CISOs rather than move a compliance attorney into the role of a Data Protection Officer (DPO).


Karla JoblingKarla Jobling

@BeecherMadden

Karla Jobling is COO and founder of BeecherMadden, a headhunting firm focussed on corporate governance, resilience & security. BeecherMadden has serviced clients in America, Europe and the UK from their offices in New York and London.

"GDPR affects most global businesses..."

Not just EU companies, and will challenge teams to focus on their global reach. It is also making the link between data privacy, physical security and cyber security a lot closer. The creation of new data privacy jobs is going to exacerbate the skills gap in the industry, and companies are going to have to fight even harder to attract and retain the best talent. GDPR has got the attention of the board, and they are going to require more from their security teams. If people in these teams can not articulate well to the business, they are going to be replaced, or will at least be ineffective. GDPR will put more pressure on security teams and increase salaries in an industry where increases are already way above average.


Christian LeesChristian Lees

@InfoArmor

Christian Lees is the CTO and CSO of InfoArmor.

"GDPR may be viewed as groundbreaking legislation for many reasons..."

One of which is that it drives dedicated control of Privacy by Design, and calls on organizations to take a proactive – not reactive – approach. GDPR could also be viewed as a large impediment for small to medium sized organizations. For example, the requirement of having a Data Protection Officer will likely be a significant challenge for organizations given the current diminished security talent pool and the ever-changing privacy landscape.


Robert McKeeRobert McKee

@USPrivacyLaw

Robert McKee is a Licensed Attorney in CA and TX, and a Certified International Privacy Professional with the IAPP.

"The most exciting answer for information security teams is..."

That they can demand higher pay and larger budgets. Do their superiors want to underfund the info security team by paying them a few thousand less than their competitors, or risk paying the higher of 20,000,000 EUR, or up to 4 percent of the total worldwide annual revenue? The GDPR could be an amazing slide for the info security team when requesting a larger budget or higher salaries.


David CoxDavid Cox

@DaveCox79

David Cox is the CEO & Founder of LiquidVPN.

"The GDPR will make some much needed changes to information privacy..."

Because the GDPR affects businesses outside of Europe, I see it going one of two ways. It can either be the standard-bearer for privacy legislation for the rest of the world, or companies are going to adopt regional terms of services. The fines for violating the GDPR may lead to some businesses attempting to cover up data breaches in order to get around paying the fines. Many of the policies in the GDPR were put in place by the Data Protection Act.

Nate Lord

ANALYST REPORTS

Bloor: The Importance of a Data Protection Platform for GDPR Compliance

Nate Lord

Nate Lord is the former editor of Data Insider and is currently an account manager covering the southeast, Great Lakes, and Latin America regions at Digital Guardian. He has over 7 years of experience in the information security industry, working at Veracode prior to joining Digital Guardian in 2014. Nate enjoys learning about the complex problems facing information security professionals and collaborating with Digital Guardian customers to help solve them.