As the digital world continues to grow, more people are paying close attention to what happens to the data they own and generate.
In Europe, EU institutions have paid attention to citizens’ demands for greater data protection. That’s why, on 14 April 2016, the EU adopted a new regulation, the EU 2016/679 (also known as the General Data Protection Regulation or GDPR) giving citizens of EU countries greater rights over their personal information, and placing greater obligations on organisations to protect this data.
Coming into force in May 2018, the GDPR will legally require your organisation to build in data protection ‘by design and by default’. It gives citizens of EU countries greater rights over their personal information, and places greater obligations on organisations to protect this data when it is processed or moved.
The GDPR gives citizens the right to be forgotten, the right to know when personal data falls into the wrong hands (eg hackers) and spells out the need for explicit consent (in certain cases) prior to processing personal information.
Building customer trust.
Adapting to GDPR means shifting how you view data protection and security, so you'll need to know you have the right cyber security tools and processes in place to prevent the loss or theft of your customers’ data.
The new regulation also offers you the chance to redesign your security
strategies in a way that builds a strong brand based on customer trust
Data protection might be something you have to do, but the new regulation also offers you the chance to redesign your security strategies in a way that builds a strong brand based on customer trust.
Citizens are ever more aware of how vulnerable their information is, and smart organisations are already taking steps to build protections into every aspect of their operations. The GDPR will make compulsory what is already good practice around data protection and privacy.
And getting it right will open new doors: “Digital transformation unlocks huge potential – but it also raises significant data protection and privacy risks,” says BT's Head of Data Security for Europe Jose Francisco Pereiro Seco.
Get your security ready before the 2018 ‘switch on’.
There are serious consequences for organisations who fail to comply with GDPR, with fines of up to four per cent of your global annual turnover.
So now is the ideal time to plan and implement how you’re going to ensure compliance. Without a successful security strategy in place, it’ll take just one data-security breach to trigger financial, regulatory and reputational consequences.
You need every aspect of your security to understand and protect personal data, so you can confidently comply with the various legal, regulatory and industry requirements. And you’ll need to be able to demonstrate that you have in place the security measures appropriate to the risks you face and the criticality of the data you hold.
We recommend four simple steps to ensure you’re ready for the May 2018 ‘switch on’.
- Start by achieving a thorough understanding of how personal data moves around your business. Make sure to take into account the associated processes, too.
- Establish a specific work stream for security review (using gap analysis and assessment) within your data-protection programmes.
- Get working on addressing any gaps you identify and redesign the relevant security architecture where necessary.
- Reassessing your technical and organisational security controls to support compliance with the GDPR, with particular focus on developing security processes to detect and mitigate data leaks.
Six principles of compliance.
Before May 2018 you also have to prioritise and ensure privacy across the complete lifecycle of any business activity.
“No matter how far forward your organisation may be along the path to GDPR, it’s worth reviewing your progress against the following six key principles of compliance to make sure your security is watertight,” explains Pereiro Seco:
Proactive: Make sure your systems and processes proactively seek out potential privacy infringements – and tackle them before they become an incident of note to the GDPR.
Default: Protection and privacy compliance must be built into your IT systems and processes to the extent they take place automatically.
Embedded: At every level, privacy must be an essential component of your organisation’s functionality.
Transparent: Everything you put in place for GDPR compliance must be open to, and able to stand up against, independent verification processes. Privacy must come above business practices or technology.
End-to-end security: You must consider the full lifecycle of the privacy protection you put in place, embedding it into the system from the first step of data processing.
Full functionality: At every turn, you need to plan data protection comprehensively and in a way that shows no compromise to either business or security.
Following these six principles will make sure your preparation for GDPR is both sufficiently robust for compliance, and ready to put you at an advantage in the digital era.
Be social with us