US Needs To Get Its Data Ready For GDPR

In response to the ever-increasing number of high-profile data breaches, lawmakers and regulators around the world are enhancing existing data security compliance requirements, implementing new legal frameworks and defining new data security regulations to respond to increasing internal and external threats.

In December of 2015, the European Union agreed to a draft of one such legal framework known as the General Data Protection Regulation, or the GDPR.

These new requirements will go into effect May 2018, but this year is an important one to prepare for compliance as this regulation affects every business offering goods or services to EU citizens regardless of where the company resides.

The GDPR was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations approach data privacy. But what does it actually mean for organisations that maintain data? And why should they take it seriously?

Here’s what US organisations need to know about the impending GDPR requirements:

1. Larger penalties for data breaches

Even without any supposition or accusation of deliberate misuse of personal data (which is still a major part of the regulation), the introduction of the GDPR will place an even greater onus on organisations to safeguard the personal data they hold from accidental disclosure and cyber-attacks.
If they fail to take the proper steps and protect that data, the limits on penalties for breach are much larger than most have dealt with before, with reported fines of up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.

2. Outsourced risk no longer means passing the buck

The new rules also make clear another important factor: that you can outsource your risk, but you can’t outsource your responsibility.

If organisations use a third-party provider to store or handle data, such as a cloud provider, they are still responsible for the correct handling and protection of personal data and must be able to demonstrate how the data is protected at all times, whether in their own or in the remote system.
Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.

3. Creation of the data protection officer

One of the most drastic changes brought about by the GDPR is the creation of an entirely new role within any organisation that interacts with EU citizen information, the “data protection officer.”

In a nutshell, the DPO will be in charge of making sure that EU citizens’ data is compliant with GDPR regulation. And if things should go wrong? The DPO’s neck will be on the line, facing large fines and even potential jail time if the data is not properly protected and compliant. The major hurdle in the creation of this new role is that thousands of DPO positions will need to be filled in the coming year.

4. Trust through capabilities, not contract

In the days of the GDPR’s predecessor, Safe Harbor, compliance was primarily based on a “trust through contract” model, allowing any certified entity to process personal data that had been transferred from Europe.

With the GDPR, organisations must now possess clearly demonstrable data protection capabilities for the data of EU citizens. In the coming year, it’s going to be interesting to see how many organisations will be forced to shift their business models dramatically in order to maintain compliance with GDPR regulation.

5. Providing online access to personal data

Organisations will now have to provide citizens with online access to any of their own personal data they store. With the GDPR in effect, organisations must make this available for download ‘where possible’ and ‘without undue delay.’

This is a very significant change; making these online data protection requests secure, in the context of these new stricter rules for protecting it at all times, will represent a significant challenge to many organisations and will require adoption of robust cybersecurity technology across the board.

As we get closer toward the GDPR’s enactment, we’re going to see a lot more activity and questions from US-based companies (and their legal counsel) around the day-to-day impact of this new legislation. I anticipate that companies will be reviewing their data security best practices throughout 2017 to ensure that they are in compliance with these stringent EU standards.

The advice to businesses is to start planning and mapping out their security strategies right away. In doing so, organisations can allow themselves the time to adopt the appropriate technologies and, ultimately, to prevent themselves from falling behind the data privacy curve.

Information Management:

You Might Also Read:

British Businesses Are Unaware Of Data Protection Laws:

Report Predicts Banks To Get €4.7bn Fines In First 3 years Under GDPR:

 

« Guide to Russian Infrastructure Hacking
The Impact Of AI On Employment Demands New Thinking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

QTS

QTS

QTS Realty Trust, Inc. is a leading provider of secure, compliant data center, hybrid cloud and managed services.

Performanta

Performanta

Performanta offer a consultative approach to people, process and technology, focusing on security projects in line with adversarial, accidental and environmental business risk.

National Security Agency (NSA) - USA

National Security Agency (NSA) - USA

NSA is a US intel agency responsible for the protection of government communications and information systems against penetration and network warfare.

D-Fence

D-Fence

D-Fence high availability security service protects corporate email communication, the company and it's employee's against cyber threats.

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today.

iFluids Engineering

iFluids Engineering

iFluids Engineering is a leading engineering consulting and risk management firm providing a full range of services including Cyber Security for Industrial Control Systems.

Swedish Board for Accreditation and Conformity Assessment (SWEDAC)

Swedish Board for Accreditation and Conformity Assessment (SWEDAC)

SWEDAC is the national accreditation body for Sweden. The directory of members provides details of organisations offering certification services for ISO 27001.

Rocheston

Rocheston

Rocheston is an innovation company with cutting-edge research and development in emerging technologies such as Cybersecurity, Internet of Things, Big Data and automation.

Packetlabs

Packetlabs

Packetlabs specializes in penetration testing services and application security.

DoQubiz Technology

DoQubiz Technology

DoQubiz is using the idea of security through obscurity to develop their proprietary Fractal Security Engine that implements a highly resilient data protection protocol.

National Cyber Security Center (NCSC) - Vietnam

National Cyber Security Center (NCSC) - Vietnam

National Cyber Security Center of Vietnam has a central monitoring function and is a technical focal point for monitoring and supporting information security for people, businesses and systems.

Secure Cyber Defense

Secure Cyber Defense

Secure Cyber Defense provides expert cybersecurity consulting and managed detection and response services to companies, local government, schools and universities.

Mage Data

Mage Data

Mage (formerly Mentis Software) is a leading solutions provider for data security and data privacy software for global enterprises.

SecurityBridge

SecurityBridge

SecurityBridge provide a cybersecurity connection between our customers’ IT departments, the forward-facing business services, and their SAP applications.

Cytidel

Cytidel

Cytidel is a vulnerability and risk management platform that utilises threat and business intelligence to help IT Security teams.

Applied Insight

Applied Insight

Applied Insight work closely with government agencies and industry to overcome technical and cultural hurdles to innovation, empowering them with the latest cloud, data and cyber capabilities.