The RSA’s latest white paper outlines the EU General Data Protection Regulation (GDPR) and its impact on our cybersecurity strategies. By 25th May 2018 our data privacy regulations will see the biggest change in 20 years as the GDPR has replaced the Data Protection Directive (1995), designed to streamline data privacy laws across Europe and protect the rights of individuals regarding their personal data. The application of the regulation exceeds EU boundaries, applying to any business anywhere in the world handling data from an EU citizen.
The GDPR defines personal data as “any information related to a natural person on ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
As the white paper outlines, EU citizens are entitled to the following rights under GDPR:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure – also known as the right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
Businesses will face hefty fines if not in full compliance with the terms of GDPR by 25th May 2018, starting from 2% of annual global revenue. There were several inconsistencies in how businesses could apply data protection policies, so the introduction of the GDPR will make the laws clearer and easier to adhere to. As the white paper explains, non-compliance will ‘propel data protection as a business risk directly into the boardroom’.
Understanding the risk associated to GDPR and cybersecurity is the first step in avoiding it. Businesses need to understand exactly where and who they are getting their data from and must show accurate records of this. Getting on top of data documentation is essential, and as the white paper advises, encouraging an understanding of technical risk to all business leaders will ensure all decision making considers this legislation. Compliance has to be independently verified, so it is important that a data management process is developed in house to avoid additional auditing costs.
The RSA advise the implementation of a Business-Driven Security Strategy to GDPR to avoid any compliance issues and to promote better risk management practices. The strategy would cover the assessment of IT infrastructure, business processes, technical and organisational measures and electronic and physical security.
Read the full paper here.