We have all read it on the news – the European Union’s General Data Protection Regulation (GDPR) law will come into force on May 25, and it has stirred waves of confusion and concern across the EU. Now, as more information on GDPR has spread across the Atlantic Ocean to the shores of Asia Pacific, we are seeing a ripple effect take place with more businesses in the region sitting up and taking notice.
And with good reason. A data breach due to failure of compliance with GDPR may cost businesses a hefty fine of up to 4% of annual global turnover, or $24.63 million (whichever is greater).
The GDPR looks to harmonize data privacy laws across Europe to protect personal identifiable information (PII) related to an EU individual, independent of where that data is stored in the world. A single EU-based customer with personal information in any business database will warrant the need for the organization to be GDPR-compliant—even if you’re a small business! This means that the need to be GDPR-compliant by the stipulated deadline is not limited to EU-based businesses only – it will affect businesses globally.
While it seems like businesses in Asia are starting to pay more attention to the coming GDPR deadline, that doesn’t mean they’re prepared for it, or have a plan to ensure compliance. A study conducted in April 2017 reported that more than half of businesses in Singapore, Japan and South Korea are among the least prepared for the upcoming data privacy laws. In fact, 56% of Singapore-based companies are worried that they will not be able to meet the deadline for GDPR compliance.
GDPR compliance can be daunting, given that the law sets out to reshape the way organizations across the world approach data privacy. As such, we have identified three key issues and steps to take for organizations to safeguard their customer’s data and be on the path toward GDPR compliance.
1. Assessing risk of breach
While no single product or combination of security solutions will guarantee a 100% breach-free future, all businesses will need to kickstart their journey to GDPR compliance today by conducting a thorough data-audit on both online and offline activities to assess if their websites are directly offering goods or services to individuals in the EU. Should there be any personal data information of an EU individual detected, businesses need to ensure that sufficient funds and personnel are set aside to ensure that the journey to compliance is complete.
2. Appointing a data protection officer (DPO)
Part of being GDPR-compliant includes appointing a DPO to sit at the crossroads of business processes, IT systems and security. The DPO needs to have a firm understanding of GDPR regulations, as he/she will be responsible for monitoring the compliance of the business, facilitating and reviewing data protection impacts and providing a central point of communication and mediation in the event of a data breach.
3. Prioritizing an always-on security strategy
The GDPR requires businesses to adhere to a strict and mandatory 72-hour personal data breach reporting rule. Subsequently, this should be followed up with a plan of containment and remediation in the hopes of avoiding significant penalties. However, with the recent advancements in security technology, businesses will be able to get some help in expediting this process. Through continuous monitoring and advanced attack detection software, businesses can assemble and communicate critical information about the breach in a short period of time.
With increasing mobile access, organizations need to ensure that proper access is maintained to tightly control who and what is authorized to access personal information. A reliable network access control (NAC) and policy management solution ensures discovery, role-based access to IT assets and closed-loop, policy-based attack response.
Last year’s WannaCry and NotPetya attacks are an indication of how modern sophisticated attacks are designed specifically to evade traditional security defenses. Businesses should introduce an additional level of monitoring that complements existing defences – ideally one that utilizes new types of attack detection such as machine learning – to find small changes in behavior indicative of an attack.
As the network continues to grow exponentially, IT systems are running to keep up. GDPR is just one aspect of a much bigger security concern that is never going to go away. More importantly, even without the implementation of the GDPR, businesses should aim to adhere to its guidelines for the safety of their customers’ and employee’s data.