GDPR – An Opportunity to Rethink Data Security
The General Data Protection Regulation (GDPR) is the most significant overhaul of European Union (EU) data protection legislation in over 20 years. Amongst other things, it is intended to provide better protection to individuals and to give greater certainty to organizations in navigating data protection across EU member states.
However, as with all new regulations, you could be forgiven for viewing the GDPR as an expensive, time-consuming constraint on free enterprise. You might see the penalties for non-compliance and think that this is just another risk to your business, your employees and your career.
We are not denying this, the penalties for a major compliance failure under the GDPR are significant (up to €20 million or 4% of global annual revenue). However, our view is that these fines, however hefty, don’t fundamentally up the ante. Security stakes were already as high as they could be.
For even without regulatory penalties, a major data breach could mean potentially terminal financial, operational, and reputational consequences for a business.
As the scale of the cyber threat is revealed, organizations should welcome the data security requirements laid down by the GDPR as an opportunity to reduce the risk of data breaches. After all, if an organization’s data is compromised, regulatory fines may be the least of its worries.
GDPR – A Welcome Wake-Up Call
Data breaches impact an organization’s reputation and consumer trust. They affect its financial value – Yahoo’s well publicized data breach cost the company and its shareholders
$350 million in its merger with Verizon.
Data breaches threaten strategic information, monetary assets and intellectual property. They can even limit an organization’s ability to perform daily tasks – we all remember the NHS hospitals that were unable to perform scheduled surgical procedures in the aftermath of the WannaCry ransomware attacks.
As cyber threats continue to grow and evolve, it is very likely that costly data breaches will become more frequent. Consequently, it is surprising that there continues to be a general lack of cybersecurity readiness within many organizations. Accenture’s State of Cybersecurity and Digital Trust 2016 report found that when it comes to cybersecurity, there are clearly gaps between where most organizations are and where they need to be.
So, while the GDPR introduces severe penalties for compliance failures, it will also force organizations to pay more attention to data security in the face of the looming cyber threat.
The Implications of GDPR for Data Security
The GDPR will replace the various legal interpretations of the current EU Data Protection Directive with a standardized, pan-European set of requirements about how organizations must manage data on their employees, customers, and other relevant stakeholders.
Data security is just one element of a broad data protection framework laid down by the regulation. However, while it’s by no means the only consideration, it’s an important one.
Article 5 of the GDPR calls for personal data to be processed in a manner that ensures the appropriate security of such data, including protection against the risk of destruction, loss, alteration, and unauthorized disclosure or access.
However, this is as prescriptive as the GDPR gets. The regulation does not define exactly how an organization should ensure that protection. Rather, it requires that organizations implement controls that are “appropriate” to its level of risk – a clear nod to risk-based approaches to cybersecurity.
Risk-Based Security
Risk-based security programs provide a framework for the prioritization of threats. Organizations evaluate the individual risks they face by considering two factors: the likelihood that a specific event will occur combined with any impact that the event may cause. The result determines the significance attributed to each risk.
Organizations can use this basic framework not only to increase cyber-defenses in prioritized areas but also to reduce security where the level of risk does not justify security controls that can constrain business performance.
A detailed understanding of risk can act as both a business enabler and a defensive measure. Some areas of a business can act more quickly and with greater flexibility, while other riskier areas will require more protection, even at the expense of performance.
After risks are identified and classified, organizations can mitigate the most serious data security risks by implementing a security strategy that protects data with appropriate technological deterrents, policies, and training. This approach also prepares organizations for the worst cyber risk scenarios with comprehensive intrusion detection and response plans.
Just the Beginning
The GDPR comes into force in May 2018 and coincides with similar data protection legislation initiatives throughout the world. In the United States, the New York State Department of Financial Services recently enacted new cybersecurity regulations and discussions are progressing for similar regulations at a federal level. Also, the Cyberspace Administration of China recently issued a draft policy on new regulations designed to improve data security. These developments indicate the general appetite amongst governments worldwide and other regulatory authorities for change.
The Internet is often compared to the Wild West, a lawless frontier where some individuals take advantage of the system to benefit themselves at the expense of others. We should feel reassured at the prospect of data protection regulators riding into town to enforce the law in the name of a safe online environment where both society and commerce can flourish.
How Can Intuition Help?
Intuition is a leading knowledge solutions company. We work with our clients to reduce cyber risk exposure through unrivaled employee education.
Our holistic approach to the human aspect of security includes training solutions for both software developers and non-technical staff, so that your organization can both make and use technology in a safe manner.
We can also assist organizations to meet the broader data protection training requirements described by the GDPR.
If you would like to receive similar content, email info@intuition.com.
