Having caused IT teams – and indeed businesses – turmoil throughout the past number of months, the dreaded General Data Protection Regulation (GDPR) enforcement deadline is now just a matter of weeks away from implementation. 25th May marks the day that European industries will see if their exhaustive preparations will finally come to fruition, and find out, once and for all, whether they are GDPR compliant.
As most in the IT industry are well aware of by now, failure to comply with the impending regulations could land their companies with significant fines of up to 20 million euros, or 4% of its worldwide turnover, depending on which is higher. The prospect of such significant fines has naturally left many IT staff sweating over their final minute preparations and frantically obsessing over the remaining obstacles to ensure their company’s data is used in a secure and transparent manner.
Current state of compliance
So what is the current state of compliance in the UK? Some of the most recent findings suggest that nearly half of businesses expect to be subject to fines for not being prepared. The study, conducted by Ensighten, found that 45% in total are in anticipation of financial reprimand, with some organisations even going as far as setting aside cash to do so.
Whether the reality of the GDPR is quite this severe is questionable, however. Whilst the deadline does represent that companies will now start to be fined for non-compliance, the GDPR should be no means be seen as an endpoint. Even after the deadlines, organisations will need to keep constantly updating their systems to comply with the regulation.
With that in mind, here is a final checklist on what to be aware of ahead of the deadline, outlining the most crucial aspects to look out for, and last-minute solutions to become GDPR compliant.
Last-minute check-up
Conduct end-to-end data inventories
First off, a company-wide data audit is necessary to identify every location where sensitive personal data is either located, processed, stored, or transmitted. In doing so, IT teams should be able to identify and classify personal information more effectively.
Data sharing and processing
Organisations must look at the way data is stored from public-facing websites, customer relationship management systems, direct marketing systems, the corporate intranet and other directory solutions that provide authentication to various data sources.
Ensuring staff training
Staff awareness will be a vital component for compliance when the regulation applies in a few weeks. If not already implemented, training on data protection, the requirements of the regulation, and the rights and freedoms of data subjects should be offered to employees. A simple but thorough do’s and don’ts should suffice for this, as well as tasks to ensure data protection for all subjects.
Last-minute solutions
Backup
Organisations must continue to follow best practices for backup, but the GDPR potentially increases risk depending on how backups are taken. An integrated archive and backup strategy is essential to ensure that only a single instance of data is stored for both. Moreover, cloud-based archiving and backup solutions may offer some advantages here because of their speed of implementation, a particularly important consideration.
Watch out for data classification
Mission-critical corporate systems, which hold personal data in structured formats, are much easier to understand in terms of data protection than the mass of unstructured data and unsanctioned applications. Classification tools can offer an automated method for analysing all data stores and sources in the organisation, identifying personal data and classifying information where necessary. This also extends to difficult-to-find data locations such as copies, exports, backups, and shadow IT cloud services that employees are using.
Data Loss Prevention (DLP)
DLP tools analyse flows of data within emails to identify the presence of personal data using pattern-matching, and other advanced forms of identification. Given a situation where personal data has been identified, and the necessary protections are not in place, DLP tools can help block or quarantine that data from reaching anyone else. Fundamentally, the tools help prevent the most common and frequent type of data breaches: employees sending data that should be protected in an unprotected form, or to people who are not authorised to receive it.
Encrypting your data
Finally, encryption as a preventative measure should not be underestimated. Encryption is specifically mentioned as a data protection measure within the GDPR framework, as breaches are often avoid where this measure is in place. Encrypting data adds a strong level of data protection, using mathematical codes to scramble characters, making it impossible for potential cyber hackers to decipher in any meaningful way. Only when a user has access an encryption key can the data then be comprehended in a meaningful form.
Whilst timing may seem to be of the essence for businesses to get with the GDPR programme, it certainly should not be viewed as a final destination. It is true that when GDPR enters into force businesses will be subjected to significant fines for non-compliance. Yet, with the right awareness of what to look out, as well as solutions that can be implemented, it is still possible for procrastinators to overcome the GDPR and ensure their organisations are compliant.
[su_box title=”About Jim Liddle” style=”noise” box_color=”#336588″][short_info id=’105249′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.