What does GDPR mean to security?

GDPR can make cybercrime seem even more terrifying, but can actually be a tool to keep predators at bay.

Being affected by Cybercrime is not good news for businesses. The effects to businesses is huge when you look at the disruption, reputation and looing company sensitive data along with regulatory fines which can run can run into hundreds of thousands if not more. With the impending arrival of GDPR (General Data Protection Regulation) coming into force in May 2018, there is a chance for these costs to rise even more.

New responsibilities and new penalties

GDPR is giving companies new responsibilities to look after personal data, it affects every company who stores or processes information on EU subjects wherever the company is based.

Generally that isn’t anything too scary about GDPR. It simply clarifies legal positions about how and why organisations are storing personal data giving citizens more control. It is very much giving individuals rights on knowing what data is being held about them by organisations and the right to have their personal data deleted permanently. It explains when organisations will need precise authorisation to use their personal data, and under what conditions or for what reason it be used for alternatively. GDPR is a useful defence especially in light of the world we live in as people do have genuine concerns about the information companies hold on them.

Companies are worried about the new regulations which surround data breaches. Companies will have new responsibilities to report any data breaches, they have to report to both the relevant data protection authority and in cases where there is the possibility of a negative impact to the individuals whom have been affected. Companies can also be fined, these fines have now risen from previous amounts of £500,000 to up to €20 million or 4% of the company’s annual turnover. Many businesses understandably are worried about the effect this will have on them, as a breach and a fine could potentially put them out of business.

The future perspective is not quite so grim, it has been explained by the ICO that it only compulsory to report a breach where there is a likely hood of risk to people’s rights and freedoms, in essence not all breaches will have to be reported. If an individual has the possibility of facing discrimination, damage to their reputation, a loss financially or other disadvantages then they do need to know about the breach, if there is no risk then there is no need to mention it. Nor do organisations have to report thoroughly on the breach whilst they are still learning about it themselves. There is a requirement though to report the breach within 72 hours and without delay.

Very importantly the ICO has stated that GDPR fine will be suitable and will not be handed out for every violation. In many instances data breaches will fall under the 2nd tier of penalties with a maximum fine of €10 million with fines being used as the very last resort.

Why the predators don’t like GDPR

You can see GDPR as a chance to tighten up data practices, putting strategies and policies in place to strengthen security, in effect this will close the doors on breaches.

GDPR needs companies to take further steps to protect the ongoing, integrity, availability and resilience of their systems, all of these measures will need to be document to help get started a track record. This means GDPR isn’t just good for compliance but for data security in general.

Sensible measures should include:

  • Auditing and risk assessment
  • Checks for cloud service partners
  • Risk assessment of devices
  • In-depth review
  • Lock down your data
  • Monitor, log and audit
  • Have a plan

 

Would you like some help and advice on the above areas? If so, do not hesitate to give us a call on 01252 350 690.

TIVA IT Solutions Ltd are already helping many businesses get ready to be GDPR compliant.

Auditing and risk assessment: The analysis of all the personal data used in the business, and the systems and devices used to store, access and process it. In order to comply with GDPR, you need to know where the data lives, who has access, and where and how it’s used. Having this information, with a proper assessment of the potential risks attached to that data, isn’t just useful for GDPR, but a good starting point for a revised security strategy.

Checks for cloud service partners: Part of GDPR compliance is ensuring that any service partners storing or processing data on your behalf is compliant. Again, this is a good opportunity to review their security, the access they have to your data, and whether this leaves any vulnerabilities open that others might exploit.

Risk assessment of devices: Check everything from your servers and storage infrastructure to laptops, PCs and mobile devices. Are there security flaws you should have dealt with? Are you using old devices that are inherently insecure? Too many businesses overlook printers and multi-function devices, thinking they pose no security risk. In fact, they’re complex computers handling sensitive data both in transit and at rest, and which may be used as a backdoor to the network as a whole. Use GDPR to challenge your assumptions and ensure you leave no stone unturned.

In-depth review: GDPR is a great reason to check your processes and policies and ensure that they promote privacy and data security, and don’t put individuals’ data at risk. What’s more, it’s a chance to rethink access rights, ensuring that only those with a genuine business need to access data have the access rights to do so.

Lock down your data: Too many data breaches are caused by stolen or misused credentials, while too few are prevented by the use of strong encryption. Consider using multi-factor authentication, using tokens or biometric factors, and make sure that data is encrypted so that, even if it leaks, it’s of no use. Any such steps taken to mitigate risk could work in your favour in the event of a breach.

Monitor, log and audit: Close monitoring of systems, logging and auditing can do three things. Firstly, they can help you spot an attack or breach before it’s too late to stop it.  Secondly, they can help you work out the size and scope of a breach and take effective measures to repair it. Thirdly, they can help you track the attack and its impacts and prove compliance. Again, what’s good for GDPR also helps make your business more secure.

Have a plan: Organisations need to put policies and procedures in place that make it clear what needs to happen in the event of a breach, and who’s responsible for making it happen. This should cover the thresholds for notification, so it’s clear who needs to be notified and when, and also cover how the breach is registered and the steps IT and security teams can put in place to make any stolen data safe, post-breach. An effective breach response plan demonstrates compliance, but also reduces the time taken to repair a breach and the impact of any breach.

In short, companies can look on GDPR as a burden and a threat, or as a wake-up call; one that can help them tighten their defences and minimise the risks and effects of a breach. Compliance is essential, but it can also help keep the Wolf and his ilk at bay.