GDPR or the EU's General Data Protection Regulation is the most significant change to privacy rules the world has ever seen as it guarantees the right for individuals to have their personal data protected and can fine a noncomplying organization as much as $24.5 million dollars or four percent of their global revenue, whichever is higher. It requires consumers to opt-in with a statement or a clear affirmative action to have their personal data used. The law becomes enforceable on May 25, 2018 and applies to data relating to persons residing in the EU or entities located there.
The GDPR for the first time introduces the concept of “data protection by design” into formal legislation. At the conceptual level, this means privacy should be a feature of the development of a product, rather than something tacked on later.
According to the European Commission: "Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life." It can be anything from a name, home address, a photo, an email address, bank details, posts on social networking websites, political or sexual orientation, medical information, or a computer’s IP address.
Companies are required to demonstrate compliance with the GDPR by ensuring they have implemented measures, which meet the principles of data protection by design and ensure data protection by default. Organizations must pseudonymize personal data as soon as possible. In other words, directly identifying data is to be held separately and securely from processed data to ensure non-attribution.
Pseudonymized data which can be used in conjunction with "additional information" to identify a person becomes personal data. In other words, be aware that combining indirect identifiers – things like date of birth, zip code and gender allows for the identification of the majority of people. Companies need to have in place appropriate encryption, hashing or tokenization as well as agreements, policies and privacy by design measures separating pseudonymous data from an identification key.
In determining the amount of the fine for noncompliance, the EU takes into account the nature of the infringement; how many people were affected and the duration of the infringement. Other factors include intention – such as negligence, preventative measures put in place, organizational history, level of cooperation, data type, notification and other factors.
To minimize the risk of a data breach, companies should do all of the following:
1. Cybersecurity training should be performed every six months. It should ideally be live and interactive. Human error is one of the greatest risks to customer data.
2. Auditing and documentation must be performed regularly to ensure systems are secure. This should be done by personnel who don't run the day-to-day operations.
3. Anomaly detection should be running constantly to detect threats as they emerge.
4. Penetration testing (pen testing) shows if systems can easily be reached and breached. Here is a case where such a test might have saved the reputation of two companies. Annual or more frequent pen testing is optimal.
5. An action plan to follow if a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched its response in what is being called a PR catastrophe. Moreover, GDPR specifies an entity has only 72 hours to notify its supervising authority that it has been breached.
There has been a tremendous increase in cybersecurity incidents. In addition to individual hackers and organized crime syndicates, terrorist groups like ISIS and nation-states like Iran, Russia and North Korea are targeting U.S. corporations and government agencies.
No company can be complacent about protecting customer data and remain in business as the threat is becoming greater, cybersecurity insurance rates are growing and government fines are increasing. The longer an organization waits to deal with these issues, the more peril they will likely be in.
Rich Tehrani is CEO of Apex Technology Services and has been quoted in the Economist, New York Times and named a top three RSA 2018 Cybersecurity conference influencer.
Apex has been named a Top 10 Network Security Solution Provider and is a leading provider of Managed & Cybersecurity Services to the asset management industry (Hedge funds, Broker Dealers, Private Equity), Law firms, and other general markets including Media, Government, Healthcare and Education. The company serves boutique financial companies, those in the Fortune 200 and those in-between