An interesting side-effect that has occurred as a result of the GDPR is the number of non-EU websites which have decided to block their content from EU based readers. Whether this will be permanent or a temporary strategy while the organization has a better feel for how the GDPR will play out, only time will tell.
It’s May 26. What should organizations do now?
For most organizations it’s about fixing the most obvious deficiencies first. And for most organizations that means making sure that the most visible part of the organization, their web site, conforms to the regulations. If it’s an organization that uses personal data as part of the outbound marketing activities, it’s imperative that they have reached out to their installed base to re-obtain their permission to continue to hold and use their personal data.
Behind the scenes however, each organization needs to take stock of their data collection process and procedures and work on the much harder task of identifying and organizing the personal data that they hold. We can assume (hope) for a moment that new data, that is the data obtained after May 25 2018, are treated in a GDPR appropriate manner. Depending upon any number of factors including what sort of legacy IT systems are still in use and/or an organization’s cloud strategy this process could be significant.
But there is one other aspect where organizations might be playing a dangerous game and that’s with their cyber defenses. Since most organizations, and certainly the larger enterprises, service providers and government entities already have network security technologies in place, they are inclined to rely on existing capabilities while they address other aspects of GDPR compliance.
The problem with this approach is whether or not their current capabilities can meet the challenge of both preventing attacks from becoming a data breach and being able to meet the 72-hour reporting window. Because organizations are more likely to be fined for a data breach than any other form of non-compliance, organizations should be looking at their current capabilities much more closely, identifying those areas which require attention and developing a comprehensive plan to address these issues.
But more importantly organizations should take advantage of the GDPR as the opportunity to initiate a much larger review of their cyber security capabilities from a more holistic approach rather than which products/technologies/vendors they have and which one they need to get.
In this environment of increased scrutiny and regulations and a threat landscape that has increased both in volume and complexity, organizations must have absolute confidence that their network security infrastructure has the ability to comprehensively protect their network. This means blocking as many attacks as possible, regardless of where they occur, and quickly detecting any intrusions that do make it through the first line of defense. Once detected, it should be able to respond to the intrusion to minimize any potential damage. By doing so organizations will be better able to determine if reporting of the incident to the appropriate data protection authority is warranted or not.
However, there is no one technology which can do all of this. Organizations reviewing their operational capabilities in light of meeting the stringent requirements of the GDPR should take this opportunity to look beyond just what the GDPR calls for. In particular, organizations should look as to whether their current network security posture can fully support their current business requirements and foreseeable future requirements.
To some, the GDPR signals the beginning of a new era that resets the relationship between data subject and data collector in favor of the data subject. To others, it’s another example of an unnecessary and over-reaching regulation, particularly in the eyes of non-EU organizations. While only time will tell how effective the GDPR will be, the expectation is that increased awareness about the collection, use and protection of personal data is very much an improvement on current practices.
The other important thing is that organizations should take advantage of the GDPR as a business opportunity rather than a one-off compliance effort. GDPR compliance is a continuous process that will need to be constantly evaluated and adjusted over time.
By Patrick Grillo – Fortinet