US Needs To Get Its Data Ready For GDPR

Uploaded on 2017-07-19 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

In response to the ever-increasing number of high-profile data breaches, lawmakers and regulators around the world are enhancing existing data security compliance requirements, implementing new legal frameworks and defining new data security regulations to respond to increasing internal and external threats.

In December of 2015, the European Union agreed to a draft of one such legal framework known as the General Data Protection Regulation, or the GDPR.

These new requirements will go into effect May 2018, but this year is an important one to prepare for compliance as this regulation affects every business offering goods or services to EU citizens regardless of where the company resides.

The GDPR was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations approach data privacy. But what does it actually mean for organisations that maintain data? And why should they take it seriously?

Here’s what US organisations need to know about the impending GDPR requirements:

1. Larger penalties for data breaches

Even without any supposition or accusation of deliberate misuse of personal data (which is still a major part of the regulation), the introduction of the GDPR will place an even greater onus on organisations to safeguard the personal data they hold from accidental disclosure and cyber-attacks.
If they fail to take the proper steps and protect that data, the limits on penalties for breach are much larger than most have dealt with before, with reported fines of up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.

2. Outsourced risk no longer means passing the buck

The new rules also make clear another important factor: that you can outsource your risk, but you can’t outsource your responsibility.

If organisations use a third-party provider to store or handle data, such as a cloud provider, they are still responsible for the correct handling and protection of personal data and must be able to demonstrate how the data is protected at all times, whether in their own or in the remote system.
Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.

3. Creation of the data protection officer

One of the most drastic changes brought about by the GDPR is the creation of an entirely new role within any organisation that interacts with EU citizen information, the “data protection officer.”

In a nutshell, the DPO will be in charge of making sure that EU citizens’ data is compliant with GDPR regulation. And if things should go wrong? The DPO’s neck will be on the line, facing large fines and even potential jail time if the data is not properly protected and compliant. The major hurdle in the creation of this new role is that thousands of DPO positions will need to be filled in the coming year.

4. Trust through capabilities, not contract

In the days of the GDPR’s predecessor, Safe Harbor, compliance was primarily based on a “trust through contract” model, allowing any certified entity to process personal data that had been transferred from Europe.

With the GDPR, organisations must now possess clearly demonstrable data protection capabilities for the data of EU citizens. In the coming year, it’s going to be interesting to see how many organisations will be forced to shift their business models dramatically in order to maintain compliance with GDPR regulation.

5. Providing online access to personal data

Organisations will now have to provide citizens with online access to any of their own personal data they store. With the GDPR in effect, organisations must make this available for download ‘where possible’ and ‘without undue delay.’

This is a very significant change; making these online data protection requests secure, in the context of these new stricter rules for protecting it at all times, will represent a significant challenge to many organisations and will require adoption of robust cybersecurity technology across the board.

As we get closer toward the GDPR’s enactment, we’re going to see a lot more activity and questions from US-based companies (and their legal counsel) around the day-to-day impact of this new legislation. I anticipate that companies will be reviewing their data security best practices throughout 2017 to ensure that they are in compliance with these stringent EU standards.

The advice to businesses is to start planning and mapping out their security strategies right away. In doing so, organisations can allow themselves the time to adopt the appropriate technologies and, ultimately, to prevent themselves from falling behind the data privacy curve.

Information Management:

You Might Also Read:

British Businesses Are Unaware Of Data Protection Laws:

Report Predicts Banks To Get €4.7bn Fines In First 3 years Under GDPR:

 

« Guide to Russian Infrastructure Hacking
The Impact Of AI On Employment Demands New Thinking »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Italian Association of Critical Infrastructure Experts (AIIC)

Italian Association of Critical Infrastructure Experts (AIIC)

AIIC acts as a focal point in Italy for expertise on the protection of Critical Infrastructure including ICT networks and cybersecurity.

J2 Software

J2 Software

J2 Software is a leading African Information Security and ICT business providing information security, governance, risk and compliance solutions.

GreyCampus

GreyCampus

GreyCampus is a leading provider of training for working professionals in the areas of Project Management, Big Data, Data Science, Service Management, Quality Management and Information Security.

SCIS Security

SCIS Security

SCIS Security provides affordable cyber security services and solutions to small to medium sized businesses and homes.

Ekran System

Ekran System

Ekran System is an advanced insider threat detection solution for companies of any size.

Egyptian Supreme Cybersecurity Council (ESCC)

Egyptian Supreme Cybersecurity Council (ESCC)

ESCC is responsible for developing a national strategy to face and respond to the cyber threats and attacks and to oversee its implementation and update.

Anitian

Anitian

The Anitian Compliance Automation platform builds, configures, and monitors cloud environments to accelerate compliance for standards such as FedRAMP, PCI, ISO/GDPR and CJIS.

Blackfoot Cybersecurity

Blackfoot Cybersecurity

At Blackfoot, we work in partnership with you to deliver on-demand cyber security expertise and assurance, keeping you one step ahead of threats & compliant with regulations.

Netizen

Netizen

Netizen is an award-winning company that develops and leverages innovative solutions to enable a more secure cyberspace for clients in government and commercial markets.

Silent Sector

Silent Sector

Silent Sector is a cybersecurity services company that specializes in providing a wide range of managed security services.

CyberNet Albania

CyberNet Albania

Cybernet Albania has been providing IT support and services to small businesses since 2016. We strive to eliminate your IT issues before they cause downtime and impact your operations.

Evanssion

Evanssion

Evanssion is a value added distributor specialized in Cloud Native & Cyber Security across Middle East & Africa.

TIM Enterprise

TIM Enterprise

TIM Enterprise offers innovative, sustainable and secure 360-degree digital solutions to companies and public administrations.

CERT.ar

CERT.ar

CERT.ar is the national Computer Emergency Response Team for the technical-administrative management of computer security incidents in the National Public Sector of Argentina.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

SECQAI

SECQAI

At SECQAI we create dual-use hardware and software to enable the future of computing.