The General Data Protection Regulation (GDPR) is said to be one of the most important changes to data privacy regulations within the past two decades. The primary purpose of GDPR is to reinforce the personal data rights for all individuals’ residing within the European Union, and subsequently harmonizing the way member states enforce data protection across this geography. The fact of the matter is, most people today do not trust their personal data in the hands of businesses – and honestly, who can blame them?
Significant personal data breaches continue to dominate headlines. Most organizations are not taking security seriously enough with some even admitting they are well aware of existing security gaps but deliberately look the other way to keep business costs down and maintain a higher profitability. As we’ve seen over the past few months, the media has highlighted both the financial and reputational implications with being caught in non-compliance – and for good reason.
GDPR will affect organizations globally. If an organization is found to be negligent, they’ll face fines north of €20 million or 4 percent of total global turnover (whichever greater of the two). Moreover, there are equally as serious reputational risks such as significant brand damage and loss of both consumer trust and loyalty. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.1 This begs a very important question: is your enterprise really ready?
What to Know and Understand
Understand where personal data resides within your organization. Personal data is defined as any subject’s name, address, localization, online identifier, health information, income, cultural profile and more. Enterprises should map their data flows in a prioritized manner, starting from the top down with whatever is considered to be of high risk and with whatever business processes involve gathering, processing and protecting sensitive personal data. CyberArk solutions will help an enterprise lock down the access both human and non-human users have to critical systems and applications, but before you can do that, you really need to first identify where exactly the data resides within your organization. Additionally, any personal data that no longer serves a legitimate business purpose needs to be deleted. Backups and duplicate copies of personal data files might land you in the hot seat if you don’t manage your data subjects’ ‘right to erasure’ correctly.
Get a handle on your supply chain. One important change in GDPR that was absent from its mandated predecessor (the Data Protection Directive) is the new direct legal obligations for data processors. This change brings potential litigation and damage claims directly from data subjects, whereas before, data processors really only needed to concern themselves with existing contractual agreements they had in place with their data controllers. Once GDPR goes into enforcement, both controllers and processors will be required to prove they were not held responsible in the event of a breach. You might have the most comprehensive GDPR strategy in place with all the necessary tools and components to protect your personal data – but there still remains substantial risk residing within your third-party vendor supply chain. There needs to be a greater degree of transparency across the supply chain, with a shared responsibility for securing personal data.
Given that GDPR is a very complex and far-reaching regulation that cannot be solved overnight, it’s best to not boil the ocean. Take a pragmatic approach. One of the first and most critical steps for enterprise-level organizations is to partner with an advisory consultant. Most consultancies offer GDPR-specific workshops, detailed assessments, regular testing and actionable guidance. They’ll work with your team to put in place the necessary personnel, processes and technology that align with whatever is your most optimal strategy to maintain compliance with this regulation.
I previously discussed five ways CyberArk can help you address GDPR, highlighting some of the key articles within the regulation and how CyberArk can help mitigate risk against non-compliance. It’s well understood that complying with GDPR cannot be achieved with a single security vendor – it’s a team effort. CyberArk customers also have access to our C3 Alliance Technology Program, which provides a wide range of integrations with security solution providers from around the world. These technology integrations enable an organization to realize a much more comprehensive GDPR solution, as well as bring more value to existing security investments.
Take the first step and download the Security Checklist for Securing Personal Data to get your enterprise ready for GDPR. Visit the CyberArk GDPR solution web page for more information on how privileged account security plays a critical part in safeguarding sensitive personal data.
Don’t get caught in the crosshairs of GDPR non-compliance. Get your enterprise ready before time runs out.
1 Gartner Press Release: “Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation,” May, 3 2017. gartner.com/newsroom/id/3701117