US Needs To Get Its Data Ready For GDPR

Uploaded on 2017-07-19 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

In response to the ever-increasing number of high-profile data breaches, lawmakers and regulators around the world are enhancing existing data security compliance requirements, implementing new legal frameworks and defining new data security regulations to respond to increasing internal and external threats.

In December of 2015, the European Union agreed to a draft of one such legal framework known as the General Data Protection Regulation, or the GDPR.

These new requirements will go into effect May 2018, but this year is an important one to prepare for compliance as this regulation affects every business offering goods or services to EU citizens regardless of where the company resides.

The GDPR was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations approach data privacy. But what does it actually mean for organisations that maintain data? And why should they take it seriously?

Here’s what US organisations need to know about the impending GDPR requirements:

1. Larger penalties for data breaches

Even without any supposition or accusation of deliberate misuse of personal data (which is still a major part of the regulation), the introduction of the GDPR will place an even greater onus on organisations to safeguard the personal data they hold from accidental disclosure and cyber-attacks.
If they fail to take the proper steps and protect that data, the limits on penalties for breach are much larger than most have dealt with before, with reported fines of up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.

2. Outsourced risk no longer means passing the buck

The new rules also make clear another important factor: that you can outsource your risk, but you can’t outsource your responsibility.

If organisations use a third-party provider to store or handle data, such as a cloud provider, they are still responsible for the correct handling and protection of personal data and must be able to demonstrate how the data is protected at all times, whether in their own or in the remote system.
Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.

3. Creation of the data protection officer

One of the most drastic changes brought about by the GDPR is the creation of an entirely new role within any organisation that interacts with EU citizen information, the “data protection officer.”

In a nutshell, the DPO will be in charge of making sure that EU citizens’ data is compliant with GDPR regulation. And if things should go wrong? The DPO’s neck will be on the line, facing large fines and even potential jail time if the data is not properly protected and compliant. The major hurdle in the creation of this new role is that thousands of DPO positions will need to be filled in the coming year.

4. Trust through capabilities, not contract

In the days of the GDPR’s predecessor, Safe Harbor, compliance was primarily based on a “trust through contract” model, allowing any certified entity to process personal data that had been transferred from Europe.

With the GDPR, organisations must now possess clearly demonstrable data protection capabilities for the data of EU citizens. In the coming year, it’s going to be interesting to see how many organisations will be forced to shift their business models dramatically in order to maintain compliance with GDPR regulation.

5. Providing online access to personal data

Organisations will now have to provide citizens with online access to any of their own personal data they store. With the GDPR in effect, organisations must make this available for download ‘where possible’ and ‘without undue delay.’

This is a very significant change; making these online data protection requests secure, in the context of these new stricter rules for protecting it at all times, will represent a significant challenge to many organisations and will require adoption of robust cybersecurity technology across the board.

As we get closer toward the GDPR’s enactment, we’re going to see a lot more activity and questions from US-based companies (and their legal counsel) around the day-to-day impact of this new legislation. I anticipate that companies will be reviewing their data security best practices throughout 2017 to ensure that they are in compliance with these stringent EU standards.

The advice to businesses is to start planning and mapping out their security strategies right away. In doing so, organisations can allow themselves the time to adopt the appropriate technologies and, ultimately, to prevent themselves from falling behind the data privacy curve.

Information Management:

You Might Also Read:

British Businesses Are Unaware Of Data Protection Laws:

Report Predicts Banks To Get €4.7bn Fines In First 3 years Under GDPR:

 

« Guide to Russian Infrastructure Hacking
The Impact Of AI On Employment Demands New Thinking »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CompliancePoint

CompliancePoint

We design and implement strategies, processes & procedures to mitigate risk, reach compliance goals, protect data assets, and meet industry standards.

MailXaminer

MailXaminer

MailXaminer is an advance and powerful email investigation platform that scans digital data, performs analysis, reports on findings and preserves them in a court validated format.

Wise-Mon

Wise-Mon

Wise-Mon is expert in its field of network monitoring and control. We give solutions to huge organizations with tens of thousands of ports, as well as small companies with one switch.

Vilnius Tech Park

Vilnius Tech Park

The region‘s most complex and integrated ICT hub, Vilnius Tech Park aims to attract and unite innovative talent from big data, cyber security, smart solutions, fintech and digital design.

C5 Capital

C5 Capital

C5 Capital is a specialist investment firm that exclusively invests in the secure data ecosystem including cybersecurity, cloud infrastructure, data analytics and space.

Blackpoint Cyber

Blackpoint Cyber

Blackpoint’s mission is to provide effective, affordable real-time threat detection and response to organizations of all sizes around the world.

Tesserent

Tesserent

Tesserent (formerly Pure Security) is a full-service cybersecurity solutions provider. We partner with clients across Australia and New Zealand in the protection of their digital assets.

CYBRScore

CYBRScore

CYBRScore is a premium, performance-based cyber skills training and assessment provider that quantifies a user’s ability to defend a network.

Graylog

Graylog

Graylog provides answers to your team’s security, application, and IT infrastructure questions by enabling you to combine, enrich, correlate, query, and visualize all your log data in one place.

Nisos

Nisos

Nisos provides unrivaled protection of your reputation and assets through the practice of Active Defense.

Infisign

Infisign

Infisign addresses the challenges of traditional IAM systems and offers a comprehensive solution for modern identity management.

Spec

Spec

Spec is the only no-code orchestration platform that protects enterprise fraud defenses from being blocked, bypassed, and manipulated by modern attack tactics.

IT Solutions Consulting

IT Solutions Consulting

IT Solutions is a full-service IT partner providing managed services and other information technology solutions nationwide.

CloudBees

CloudBees

CloudBees is building the world’s first end-to-end automated software delivery system, enabling companies to balance governance and developer freedom.

Defend-OT

Defend-OT

Defend-OT is a Belgium-based cybersecurity firm specializing in OT environments.

Black Duck Software

Black Duck Software

Black Duck (formerly the Synopsys Software Integrity Group) is the market leader in application security testing (AST).