Burden on businesses with new EU data security law
Over four years in the making, it was finally completed in April 2016.
As technology became more integrated into our lives, personal data, security, and privacy have been a hot topic. Last January, the long process of creating and agreeing on new legislation designed to reform the legal framework for ensuring the rights of EU citizens to a private life was completed, and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) was born.
What does this mean?
Simply put, organizations must keep records of all personal data, prove that consent was given to collect that data, show where the data is going, the purpose of its use, and how it is being protected. Enforcement begins on May 25th, 2018. That’s much less than a year away.
Now that the final text of the GDPR is known, the next step for organizations is to identify how this new legislation will impact them, and begin making the appropriate technological changes, as there are significant fines for organizations that are breached and found not to be GDPR compliant (20 million euros or 4% of annual revenue, whichever is greater.) This penalty has the potential to sink businesses.
If you are reading this from a non-EU nation, this law still applies to you. Any organization that collects and stores the personal data of EU citizens falls under the long-arm of this new law. Continue reading, as the reality of GDPR is that almost every website and app in the world will be required to comply with GDPR in one way or another.
The good, the bad, the ugly
On one hand, the benefits are obvious. GDPR requires organizations to take a more sophisticated, considerable approach to capturing data about their customers, and ensure it is processed correctly. It also gives citizens and residents more rights –
- Right to access their personal data;
- Right to correct errors in their personal data;
- Right to erase their personal data;
- Right to object to processing of their personal data;
- Right to export their personal data.
On the other hand, this forces organizations to accept a long list of responsibilities. If the organization processes data, it must:
- Protect personal data using appropriate security practices
- Notify authorities within 72 hours of breaches
- Receive content before processing personal data
- Keep records detailing data processing
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
- Train privacy personnel & employee
- Audit and update data policies
- Employ a data protection officer (for larger organizations)
- Create & manage processor/vendor contracts
Notify authorities within 72 hours of a breach?
This is a headline grabber. GDPR requires that organizations report all breaches to authorities, including the breached data and people affected, within 72 hours.
Damage to brand reputation could be tremendous. Based on a survey conducted by OnePoll, nearly 87% of respondents stated that they would likely not do business with an organization that suffered a data breach. That’s on top of all regulatory penalties.
To protect your business from financial and social disaster, it’s better to be prepared and do everything in your power to avoid a breach. Take a moment –is your firm able to demonstrate that it took all reasonable steps to protect personal data from threats?
Complexity is the enemy of security
For most organizations, passwords are the weak link –more specifically, how people use passwords.
Over the years, protocol has called for more complicated passwords as stronger authentication. Today, average users not only struggle to create a “strong password,” but they also have no hope in remembering the password.
How do users attempt to make a “strong password?” It’s a habit for many people to write down passwords, or worse, reuse passwords across multiple services for convenience. Password reuse makes it easier for cybercriminals to hijack accounts to get their hands on sensitive and personally identifiable data –and not only the data of the person whose account was hacked.
Even though GDPR does not mandate two-factor and multifactor authentication solutions per se, a careful review of the law leaves no doubt that if static passwords are left in place, and a breach occurs, auditors come knocking on the door.
Why wait until a breach before implementing 2FA?
Two-factor authentication is simple to implement and affordable. It’s a security measure that mitigates most hacks, and it does not require much user training, or a group of consultants to implement. It’s low-cost, with a high impact.
Don’t wait until the law takes effect in May 2018 to prepare, secure users, and provide authentication. With stolen credentials being the leading cause of breaches, finding ways to combat risk and reduce the threat landscape will help strengthen an organization’s overall security posture and avoid penalties.