The GDPR – and What CISOs Need to Know
With the European Union’s approval of the General Data Protection Regulations (GDPR), organisations will have to change the way they store, transfer and protect their data. The legislation, which is now in effect, will require organisations to become compliant by May 2018.
According to the GDPR website, the regulation is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizen’s data privacy and to reshape the way organisations across the region approach data privacy. In my position as CISO of SecureAuth, some immediate thoughts come to mind.
First, here’s what CISOs need to know about the GDPR requirements:
- The regulations affect every business offering goods or services to EU citizens – regardless of where the company resides. Controllers that are not based in the EU may be required to designate a representative in the EU if they process the data of EU residents.
- The regulations require entities not to store data in or transfer data through countries that don’t have strong data-protection standards. At minimum, countries should know what data is being collected, how it’s gathered, how it’s protected, and whether it’s anonymized.
- There are significant fines for organisations that are breached and are found not to be GDPR compliant – 20 million Euros or 4 percent annual turnover, whichever is greater.
- organisations are required to report all breaches within 72 hours. This means brand damage could be significant. According to a survey by OnePoll, 87 percent of respondents said they were not likely to do business with an organisation that had suffered a data breach.
From these requirements, we can gather that a wide range of organisations across the globe will be impacted, and these organisations should certainly question the current cybersecurity measures they have in place. It’s important for a CISO to talk to their organisation about what data is being collected and how it is secured.
That being said, here are some best practices CISOs can put in place:
- Securing the user and how the user accesses data are great places to begin. With stolen credentials being the leading cause for breaches, finding ways to combat that risk and reduce your threat landscape will help strengthen the overall security posture.
- There's a strong need to work with other groups within your organisation. Understanding the requirements and how your organisation classifies and handles data are critical components to successful GDPR compliance.
- Advanced authentication can provide organisations a way to add a layer of protection to the user to prevent the misuse of stolen credentials.
- Identify the practices you have in place and test them to see if they're strong enough, relevant and effective. If not, change them. Technology changes; maybe your practice should, too.
Simply summed up, the GDPR has introduced a new standard for data protection for CISOs and their organisations. Companies will have to be more transparent about the type of data they collect on individuals, how that data is used, and when personal information is exposed in a breach.
As more organisations implement the GDPR’s requirements, we are going to see more discussion around the day-to-day impacts of this new legislation. Moving forward, it will be important for CISOs to monitor their own organisations’ best practices in addition seeing what similar organisations are doing. CISOs want to make sure they are not falling behind and that their organisation’s security measures are top-notch.
To see how SecureAuth can Prevent the Misuse of Stolen Credentials, Contact Us today!