In April 2016, the European Union codified what is known as the General Data Protection Regulation (GDPR). This is not the first data protection law established by the European Commission – that would be the Data Protection Act of 1984 (fitting if you’re a George Orwell fan).
However, the GDPR is somewhat unprecedented: It sets data protection provisions that any organization accessing or storing data created in the EU must abide by – regardless of where the business is operating from. The mandate becomes effective May 2018, so the clock is already ticking.
Understanding the requirements
Under the new law, personal data is defined as any information pertaining to an individual, such as “a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
The most impactful provisions for businesses that leverage data from EU member states include the following:
- Businesses must appoint a data protection officer (DPO), who is required, among other things, to be accessible to data owners.
- Organizations must set and abide by a predetermined retention period, after which time they are required to erase that data.
- “Privacy by design” dictates that data privacy settings, by default, are set at a high level per Information Commissioner’s Office guidelines.
- Data security measures must be implemented.
- Regulators must be notified of any breaches within 72 hours.
- Unauthorized data transfers outside member states will be subject to penalization.
- Organizations must conduct data protection impact assessments (DPIA) for any introduction of new technology.
Failure to abide by any of GDPR’s core tenets is punishable by a maximum fine of $22 million or 4 percent of annual worldwide turnover of the preceding financial year (whichever is greater). Failure to adhere to the technical measures warrants a maximum fine of $11 million or 2 percent of global annual turnover from the previous year (again, whichever is greater).
Prepping your organization
To reiterate, the GDPR will only affect organizations that process or store data originating in an EU member state. However, given the size and importance of markets in Europe, U.S. businesses will be significantly impacted. In fact, according to TechTarget’s Dave Raffo, U.S. organizations – despite being expected to spend 20 percent more on compliance costs than European businesses – are more prepared then the U.K. This is despite the fact that the U.K. will be disproportionately affected due to its proximity to EU member nations, and of course, because it used to be one of them.
“31% of organizations consider themselves ready for the GDPR.”
Worldwide, 31 percent of organizations consider themselves ready for the GDPR. This is not a grim assessment, as there is still more than a year before enforcement of the regulation begins. Nevertheless, the vast majority of businesses are still noncompliant, and there’s work to be done on that front.
For one, organizations, regardless of size, must make sure they have the necessary resources to monitor personal data at all times, and to flag activity that is forbidden by GDPR. They’ll also need a framework for performing comprehensive DPIA assessments that vet the efficacy of data safeguards. Likewise, they’ll need the ability to identify any gaps in their security posture that could precipitate data breaches.
And finally, GDPR reinforces an old regulation that breaches must be disclosed within 72 hours of detection. While beneficial in theory, the operative word here is detection. According to Verizon’s Data Breach Investigations Report 2016, the average time to detection is more than 200 days. With that in mind, the 72-hour rule is nothing more than an effort to improve business transparency. It does nothing for network visibility, though, and GDPR aside, 200 days is far too long for a threat to be present on an organization’s network.
If nothing else, GDPR will encourage organizations to be more circumspect in how they manage private data. But in a best-case scenario, it will ignite interest in developing a more comprehensive threat detection and response strategy that can truly safeguard valuable customer data.
Arctic Wolf provides the SOC-as-a-Service that you would need to fulfill GDPR requirements. You need to exhibit some of these when you do any business transactions with European counterparts, partners, vendors, suppliers, etc.
Arctic Wolf provides you with dedicated staff and process to detect, analyze, and respond to threats, and a cloud-based distributed SOC that will help with the requirements such as data privacy, data security, retention, incident response,and impact analysis.