In August 2017, the UK Information Commissioner’s Office fined TalkTalk £100,000 for security failings that enabled an IT contractor to access the personal data of 21,000 customers. The mobile operator could have faced a crippling £59 million fine if the EU’s General Data Protection Regulation (GDPR) had been in place.
The GDPR aims to protect Europeans from privacy and data breaches. It covers all data that can be directly or indirectly linked to an individual. All organizations that process or control the personal data of EU citizens will face heavy fines – €20 million or 4%of global turnover, whichever is greater – if they fail to comply with the GDPR when it takes effect on 25 May 2018.
Is your company ready for the GDPR? Let’s look at three key GDPR requirements and three steps you can take to comply with them before the enforcement date.
What does the GDPR require in case of a data breach?
Article 25 of the GDPR specifies that organizations must protect personal data by design and by default. This means you need to govern who and what – employees, third parties, applications, processes, unmanaged devices – has privileged access to the personal data you handle.
If your company is a data controller, article 33 requires you to notify a supervisory authority within 72 hours of discovering a breach. It also requires you to notify affected customers without undue delay. A June 2017 report by the Ponemon Institute indicated that only 10%of controllers were ready to fulfill these requirements.
The GDPR also requires you to prove that you comply with articles 25 and 33. This means producing accurate, reliable reports that show who or what has privileged access to critical accounts, when they require this access, and what actions they perform.
3 steps to ensure compliance from day 1
1. Protect personal data with effective identity access management
You need a strong identity access management (IAM) strategy backed by effective solutions to comply with article 25. An IAM solution that can isolate, monitor, and record all privileged sessions will help you and your partners meet GDPR accountability, notification, and reporting requirements. It will also improve your overall security posture by enabling you to protect critical corporate data such as financial information, contracts, and legal documents.
2. Use automated anomaly detection to respond to breaches quickly
The risk of a massive non-compliance fine should provide ample motivation to deploy a rapid breach detection and response solution. But the right solution can help you do more than avoid financial pain.
A solution that automates anomaly detection and access blocking can help you respond to cyberthreats proactively. This type of solution uses real-time network analytics and traffic profiling to assess environmental risks and identify abnormal user and entity behavior. It can enable you to detect previously unknown threats and attacks and respond to breaches quickly. A fast and effective response can preserve customer confidence and brand value.
3. Demonstrate compliance through auditing and compliance management
The ability to demonstrate GDPR compliance is essential for avoiding fines. It can also provide strategic business benefits. For example, by proving that you can reliably protect personal data, you make your brand more attractive to prospective employees, partners and customers.
Auditing and compliance management solutions can enable you to identify exactly who and what accessed personal data. Solutions that support tamper-resistant audit logs and session recordings enhance overall security and provide the detailed data you need to demonstrate GDPR compliance.
We’re here to help. Discover how the Nokia NetGuard portfolio of security products and professional services can help you assess your GDPR readiness and ensure ongoing compliance.
Download our GDPR white paper for in-depth analysis of the regulation and recommendations that can help you prepare for enforcement.
Share your thoughts on this topic by replying below – or join the Twitter discussion with @nokianetworks using #security #netguard