US Needs To Get Its Data Ready For GDPR

Uploaded on 2017-07-19 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

In response to the ever-increasing number of high-profile data breaches, lawmakers and regulators around the world are enhancing existing data security compliance requirements, implementing new legal frameworks and defining new data security regulations to respond to increasing internal and external threats.

In December of 2015, the European Union agreed to a draft of one such legal framework known as the General Data Protection Regulation, or the GDPR.

These new requirements will go into effect May 2018, but this year is an important one to prepare for compliance as this regulation affects every business offering goods or services to EU citizens regardless of where the company resides.

The GDPR was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations approach data privacy. But what does it actually mean for organisations that maintain data? And why should they take it seriously?

Here’s what US organisations need to know about the impending GDPR requirements:

1. Larger penalties for data breaches

Even without any supposition or accusation of deliberate misuse of personal data (which is still a major part of the regulation), the introduction of the GDPR will place an even greater onus on organisations to safeguard the personal data they hold from accidental disclosure and cyber-attacks.
If they fail to take the proper steps and protect that data, the limits on penalties for breach are much larger than most have dealt with before, with reported fines of up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.

2. Outsourced risk no longer means passing the buck

The new rules also make clear another important factor: that you can outsource your risk, but you can’t outsource your responsibility.

If organisations use a third-party provider to store or handle data, such as a cloud provider, they are still responsible for the correct handling and protection of personal data and must be able to demonstrate how the data is protected at all times, whether in their own or in the remote system.
Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.

3. Creation of the data protection officer

One of the most drastic changes brought about by the GDPR is the creation of an entirely new role within any organisation that interacts with EU citizen information, the “data protection officer.”

In a nutshell, the DPO will be in charge of making sure that EU citizens’ data is compliant with GDPR regulation. And if things should go wrong? The DPO’s neck will be on the line, facing large fines and even potential jail time if the data is not properly protected and compliant. The major hurdle in the creation of this new role is that thousands of DPO positions will need to be filled in the coming year.

4. Trust through capabilities, not contract

In the days of the GDPR’s predecessor, Safe Harbor, compliance was primarily based on a “trust through contract” model, allowing any certified entity to process personal data that had been transferred from Europe.

With the GDPR, organisations must now possess clearly demonstrable data protection capabilities for the data of EU citizens. In the coming year, it’s going to be interesting to see how many organisations will be forced to shift their business models dramatically in order to maintain compliance with GDPR regulation.

5. Providing online access to personal data

Organisations will now have to provide citizens with online access to any of their own personal data they store. With the GDPR in effect, organisations must make this available for download ‘where possible’ and ‘without undue delay.’

This is a very significant change; making these online data protection requests secure, in the context of these new stricter rules for protecting it at all times, will represent a significant challenge to many organisations and will require adoption of robust cybersecurity technology across the board.

As we get closer toward the GDPR’s enactment, we’re going to see a lot more activity and questions from US-based companies (and their legal counsel) around the day-to-day impact of this new legislation. I anticipate that companies will be reviewing their data security best practices throughout 2017 to ensure that they are in compliance with these stringent EU standards.

The advice to businesses is to start planning and mapping out their security strategies right away. In doing so, organisations can allow themselves the time to adopt the appropriate technologies and, ultimately, to prevent themselves from falling behind the data privacy curve.

Information Management:

You Might Also Read:

British Businesses Are Unaware Of Data Protection Laws:

Report Predicts Banks To Get €4.7bn Fines In First 3 years Under GDPR:

 

« Guide to Russian Infrastructure Hacking
The Impact Of AI On Employment Demands New Thinking »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MarQuest

MarQuest

MarQuest provides services and systems to enhance network reliability and security.

RoboForm

RoboForm

RoboForm's industry-leading encryption technology securely stores your passwords, with one Master Password serving as your encryption key.

NowSecure

NowSecure

NowSecure are the experts in mobile app security testing software and services.

Department of Justice & Equality - Cybercrime Division

Department of Justice & Equality - Cybercrime Division

The Cybercrime division is responsible for developing policy in relation to the criminal activity and coordinating a range of different cyber initiatives at national and international level.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Sylint

Sylint

Sylint is an internationally recognized cyber security and digital data forensics firm with extensive experience discretely addressing some of today’s biggest cyber breaches.

Appalachia Technologies

Appalachia Technologies

Appalachia is a full service Managed Services Provider with a focus on cybersecurity, backed by the best engineers.

Cyber Legion

Cyber Legion

Cyber Legion Ltd is a UK-based Cyber Security as a Service (CSaaS) start-up that provides IT security testing services to various organizations around the globe.

Vaultinum

Vaultinum

Vaultinum are a trusted independent third party specialized in the protection and audit of digital assets.

Eleos Labs

Eleos Labs

Eleos Labs' suite of security tools prevent Web3 cyber attacks, reduce economic risks, and protect digital assets.

Radius Technologies

Radius Technologies

Radius Technologies is trusted by progressive SMEs to deliver world-class cloud, IT solutions, IT and data security, and telecoms systems.

Summit 7 (S7)

Summit 7 (S7)

Summit 7 is a national leader in cybersecurity, compliance, and managed services for the Aerospace and Defense industry and corporate enterprises.

Lasso Security

Lasso Security

Lasso Security is a pioneer cybersecurity company ensuring comprehensive protection for businesses leveraging generative AI and other large language model technologies.

Teal Technology Consulting

Teal Technology Consulting

TEAL Technology Consulting is your trusted advisor for all your information security needs.

BBS Technology

BBS Technology

BBS Technology is a company that develops and delivers next-generation cyber security technologies worldwide.

Secur-Serv

Secur-Serv

Secur-Serv is a security-first managed services provider. We provides Managed IT, Managed Print, Managed Device, and Cybersecurity services to companies of every size.