As of 25 May 2018 a new directive, formally known as the GDPR (General Data Protection Regulation), will be implemented in full force. This regulation underlies a number of imperative views that companies and organisations must embrace, in order to comply with this new directive. Its purpose? To meet the modern privacy requirements that the mid-90s EU Data protection Drive 96/46/EC and other local data protection laws fail to address.
At this stage, companies need to ask themselves the following questions: What are the business’s most sensitive and imperative entities? Are data and proceeds involved in these? What is the security state of all our machines- both those stationary and portable? What is the current security state of the brand we’ve carefully created and toiled so hard to shelter?
Who is setting these standards?
The same European Institutions that have sought to get rid of most of the red tape businesses have had to deal with, are simultaneously seeking ways of safeguarding the privacy of citizens and individual subjects. The GDPR requires fund managers to adjust their cyber security procedures to avoid facing financial penalties. These penalties could incur 4% of the company’s global annual revenue or 20 million euro, the choice falling on the option causing greater harm to that particular business.
GDPR for the company and for the client
The subject or individual, under this new regulation, holds the right to transport his personal data from one organisation to another and the directive goes as far as to stipulate how this needs to be done: via a structured, widely-used format that enables an all-machine readability.
What implications, both on a commercial and systematic level, can this regulation have on your company? Massive ones! For starters, this could mean that a client could ask for a copy of his personal information and take it to your competitor. Secondly, your systems need to be organised and structured in a way as to provide the client such a copy in a prescribed manner.
What are the implications of Data Breach Notification?
Every organisation needs to ensure that data is adequately shielded against data breach including theft, unsanctioned entries, and loss. This requirement is so imperative that the GDPR even involves a rule solely dedicated to personal data breach notification. So what is the brunt that a business needs to bear when it comes to cyber security breach come May 2018? Not only should this data breach be reported to the supervisory authority within 72 hours but if this is a high privacy risk for the client involved, then he or she needs to be informed of this breach as well.
The Client’s Right to Be Forgotten
Should the client or individual subject prove that data has been processed unlawfully to third parties and should he or she decide to withdraw previously given consent, the GDPR states that such conditions must be met. There is a list of six such conditions and all data is to be removed from the organisations, even if only one of these is met.
Data Protection Assessment
The GDPR will provide Data Protection Assessment clearer definition and structure, whereas high risks to the privacy rights of individuals will be assessed prior to the start of the processing of personal data. This should also focus on the systematic description of the processing activity and both the necessity and scale of operations. The GDPR promotes the encryption of personal data. Security measures are a must for the confidentiality, reliability and resilience of processing systems and services as part of the privacy legislation. Security should be based on the risk assessments.
If a company is able to comply with GDPR, it is simply establishing its capability of instilling trust among its customers, suppliers and employees. The most important factor for businesses to keep in mind is to stay clear of data breaches- whether this is done through hacking, phishing, and malware.
Concerns raised by organisations so far
By far, what is unnerving to most companies when it comes to GDPR compliance is the lack of cloud security expertise. Cloud-based applications are necessary in order to comply with data processing agreements. Cloud security is still considered the missing gap in IT departments in most companies. The lack of knowledge on the matter questions the coping mechanisms necessary to meet the requirements of the GDPR. The 72-hour rule could have more negatives than positives as it raises queries as to whether companies or people within companies could cover up data breaches to avoid the harsh fines. What’s more? Some organisations do not even possess the ability to intercept let alone report data breach whilst others argue that it may take months to detect this.
How can these concerns be alleviated?
Organisations with an overtaxed security team may find it the hardest to cope, leading them to lose customers due to reputation damage. Cyber security companies like CyberSift seek to help security analysts go through thousands of alerts, drawing attention to what matters the most. This would increase the awareness and efficiency of security teams by eliminating human error. Through the use of data mining and statistical algorithms, CyberSift possesses the adequate tools to detect threat attacks that could harm your industry and which would slip past the traditional modes of defence.
CyberSift’s avant-garde anomaly detection systems can assist security analysts to focus on those alarms deemed important, thus reducing their time and increasing their efficiency. Furthermore, the tools operated by CyberSift can help mitigate the cumbersome heavy toll falling on the security analyst. In a world, where the shortage of cyber security experts is worrisome to companies worldwide, such tools could potentially substitute human power and cost only the fraction.
