GDPR — Why enterprises should act now.

Those four small letters will soon have huge effects on organizations building products used by European Union citizens.

The EU has over 500 million people. Worldwide corporations see the EU as a strategic customer base across various verticals. The EU customer is highly valuable and soon doing business in the EU will mean abiding by GDPR.

GDPR has the potential to unhinge and unspool those that do not take data protection seriously enough. But what is it really about? In short, as of May 25th, 2018 a data breach will not just mean a whole heap of embarrassment and reputational loss for businesses and organisations. It will also constitute a huge fine, — 20 million euros or 4 per cent of turnover to be exact, whichever is greater. To put that into context, the current fine is around 500K — so that is quite a rise. 40x to be more specific. While this spike may be unsettling, it’s a sign of the times. The EU is doubling down on the protection of consumer data.

As part of the the new compliance regulations under GDPR, an organisation will have just 72 hours to report a breach to the regulator and its customers. Quietly working out a plan will no longer be an option. As well as dealing with the reputational threat, there will also be the very real financial threat that will demand attention.

So what can enterprises do to adapt to GDPR? As with all potential crises, it all comes down to preparation. Sure, they need to ensure that their data is locked up tight, but beyond that they need to prepare for the worst because hackers are, frankly, damn smart and even the most tight ship can be breached if the will is there.

But here is some good news: Being able to show the auditor that your company planned properly could result in the fine being considerably reduced. Anticipating, preparing and having a robust plan of action could make all the difference if the worst happens. It will help keep heads cool in a time of panic, but beyond that proper preparation will also make those conversations with the regulator way easier when they are determining your fate.

The ICO’s latest report is not easy reading, but perhaps it is the first of many wake-up calls for those that are yet to truly appreciate what GDPR could actually mean, reputationally as well financially.

Global businesses must have a clear understanding of how the new guidelines will affect how they process and store customer data. For IT departments and security teams, that means “bed time reading” in the form of 100 pages of dense text, filled with the sort of legal-speak that makes deciphering action items impossible.

Failing to understand GDPR could sink a small organization altogether, or at least have a major impact on the bottom line.

To make your life easier, I’ll go through the most critical articles of the GDPR, explaining what you need to know, and more importantly why:

Article 16: Right to Rectification
In one of the GDPR’s shortest articles (54 words), the EU states that citizens are entitled to the “right to rectification.” This means that customers have the right to have inaccurate information about themselves corrected in a timely fashion. At first this sounds simple, but it becomes increasingly complex as you factor in third-party vendors that have come into possession of the data. Complying with this will require additional controls that allow organizations to either alter or delete data that has already left the network.

<< TAKEAWAY: Ensure you can update or alter customer data across your supply chain when needed >>

Article 25: Data Protection by Design and by Default
The 25th article of the GDPR starts with one doozy of a sentence:

“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

Essentially, this is a long-winded way of saying that data must be protected while at rest, in transit, and in use. In some instances, where sensitive personally identifiable information is being processed, organizations are also required to put technical measures in place that anonymize the individual in order to protect his or her privacy.

Article 25 goes on to say that organizations can only process the portions of the data that are relevant to the analysis being conducted, which will require companies to provide both “technical and organizational” privacy assurances. Plus, these security assurances must be applied to data by default, reducing the possibility that information is leaked or misused.

<< TAKEAWAY: Ensure you encrypt sensitive data, ensure that only certain parts of the organization can access the data >>

Article 30: Records of Processing Activities
Article 30 of the GDPR deals with record keeping, specifying how companies and the third-parties they work with must track the flow of customer data throughout its life cycle. For security teams, this means that they must deploy IT solutions that can provide real-time auditing capabilities and capture granular usage details. These details include: the nature of the activity (viewing, editing, printing, and so on), the user who performed the activity, the time and location (IP address) of the activity, and more.

Having access to this data is just the start. The purpose of the record keeping is to have evidence in case of inevitable audits by a “supervisory authority,” whose powers are also defined within the GDPR’s text. Who plays the role of the “supervisory authority” will be determined on a case-by-case basis, depending on the member states involved. This means that the oversight bodies will likely have slightly different policies and procedure, further complicating the situation. My assumption is that none of these bodies will be shy about using their auditing powers, especially in the first few months, in order to prove the EU is committed to enforcing the GDPR’s regulations.

<< TAKEAWAY: Ensure you log, audit, and monitor all personal data processing across your applications. You may need to run forensic activity for a very specific user and prove something about his data >>

Article 46: Transfers Subject to Appropriate Safeguards
The final article is the 46th, which is arguably one of the most important in the GDPR. Article 46 requires organizations to apply the same stringent data protections, no matter where the information is transferred or stored. This article is crucial because it addresses the key concern behind the GDPR’s inception — that once European citizen data is transferred outside the EU, it can become subject to surveillance by nation-states, which has been deemed a privacy violation by the Commission.

To remain in compliance with this requirement, security teams must look at security tools that are applied at the data level. This way, as the data travels, the security precautions remain in place, allowing the organization to freely share information throughout its international network.

<< TAKEAWAY: Everything should be encrypted leaving your boundary. Federated partners and interconnected cloud providers should be authenticated and authorized using TLS, SAML2 and SSO strategies >>

The good news is that we still have 10 months before the GDPR takes effect. The bad news is that we only have 10 months before GDPR takes effect.

“Corporations should have already started preparations for GDPR. Most organisations will have to dramatically change the way they organise, manage and protect customer data. A shift of this size will need buy-in from the board.”

As an industry, we still have time to put the necessary measures in place. Cybersecurity and IT leaders must come together and pool our collective expertise to determine the optimal strategy for achieving compliance with the GDPR.

But, don’t expect your CEO to be open to the idea of sacrificing efficiency for compliance’s sake! Instead, IT departments must find ways to ensure security without stifling collaboration. IT departments need to think outside the box and innovate to meet this intersection of need.

We at Assembla are committed to privacy and customer security — it is at the core of our business. We are aggressively pursuing GDPR. We are committed to GDPR and what it stands for. We can help you understand how GDPR will impact your business and how GDPR will impact you as an Assembla customer. Just give us a call — we would love to hear from you.

Want to learn more? I really recommend reading through what Salesforce has put together. Do yourself a favor and take 45 minutes to dig in.

Stay tuned for more updates on GDPR by following me or get on Twitter to keep up to date.