The General Data Protection Regulation (GDPR), enacted in 2016, becomes effective in May. It requires organizations that handle the personal data of European Union (EU) citizens to ensure adequate protection is in place to prevent theft or misuse.
If you live in the EU or work for a multinational corporation, this certainly isn’t news; however, many US-based entities don’t realize they are affected.
What you need to know
The GDPR requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. It also applies to entities with no presence if they control or process covered personal information of EU residents.
Your involvement could be for something as simple as a marketing survey—there doesn’t have to be a financial transaction involved.
You are affected
As written, the regulation applies to almost every firm with more than 250 employees, and to most with fewer if they have a significant online presence and market in the EU.
It’s not surprising that software services and e-commerce companies will need to review their policies relative to the GDPR, but the impact reaches far beyond the usual suspects.
The hospitality industry and higher education are two good examples.
For instance, if you have even one student applying from the EU, you are exposed. Inside Higher Education spells it out: “Any institution that receives admissions from residents in the EU will need to process their data according to the stipulations of the GDPR. Additionally, European study abroad programs will certainly be affected. So too will information on alumni or donors based in the EU.”
Likewise, if you are a hotelier with one guest who, while at home in Rome, books a room in your New York hotel, your organization is subject to the GDPR’s requirements.
Other examples abound; it doesn’t take much imagination to recognize them.
Silence does not mean consent
Perhaps the most significant change is that applications and databases must have privacy enabled by default. To comply with the GDPR, companies essentially have to switch from an “opt-out” approach to an “opt-in” one: Rather than being forced to opt out of having their personal data collected and stored, individuals will instead have to give organizations their express permission with regard to their data. “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.” (GDPR)
It obviously makes sense to treat all personal data this way going forward.
But there are some aspects you shouldn’t handle alone.
We can help
Even global enterprises were having trouble getting up to speed, based on a survey of 500 global cyber security professionals. The 2017 EU GDPR Report from Crowd Research Partners found that the primary challenges in becoming compliant with EU GDPR policies are lack of budget (32%), limited understanding of the regulations (29%), and lack of expert staff with critical skills (28%).
We can’t put more money in your budget, but our comprehensive security solutions give you a one-stop shop, saving you money. And working with Avalon will cost considerably less than it would to set up your own program in house. Our team has the expertise and critical skills required. We understand the regulations and—more importantly—we understand what they mean for you.
Moreover, you need a vendor who understands cybersecurity and whose cybersecurity experts provide round-the-clock coverage. Our managed detection and response (MDR) team becomes your 24/7 security operations center.
Track and record everything
The GDPR states that every controller must track and record all processing activities under its responsibility.
Our KnightVIsion CAM service centralizes logs from applications, systems and networks, allowing companies to monitor all user and system activity and to identify any suspicious or malicious behavior. Through KnightVision CAM, combined with our MDR service, we gain a 360° view of your systems. This allows us to investigate suspicious behavior, including analyzing what kind of attack method was utilized and enabling us to look at related events, source IP addresses, destination IP addresses and other details.
Significantly, our SIEM tool can also record activity on public and private clouds, which is an essential part of compliance with the GDPR.
Constant monitoring is more important than ever because of another crucial element of the regulation: 72-hour notice of breaches.
Only 72 hours
Data breaches must be reported to the relevant authorities “without undue delay,” and not later than 72 hours after you become aware of the breach. Complying requires having in place robust breach detection, investigation, and internal reporting systems.
Our MDR solution combines the power of user behavior analytics, endpoint detection and response, and log analysis to unify security data in order to detect, investigate, and remediate incidents and breaches. Through KnightVision MDR, we can provide the real-time alerting, correlation, analysis, and auditing that security and compliance need.
Keep in mind that you don’t always know when a breach occurs. On average, it takes 191 days to detect a threat and 66 days to contain it, according to a 2017 Ponemon Institute study. Compare this to the 72-hour reporting mandate, and you see the problem. Moreover, breaches are inevitable. That’s why you need monitoring and a detection and response strategy to comply.
Enforcement
Let’s be blunt: The EU isn’t fooling around.
Penalties are severe. They can be as high as 4% of the annual global revenue of the preceding financial year or €20 million (roughly US$22 million). To put that in perspective, based on 2015 revenue, that would be US$1.8 billion for Coca Cola and $8.6 billion for Apple.
The GDPR is casting a wide net. You don’t have to believe us—here’s what Elizabeth Denham, U.K. Information Commissioner at the Information Commissioner’s Office, had to say.
“And our enforcement powers aren’t just for ‘typical’ data breaches, like laptops left on trains or information left open to a cyber attack. The GDPR gives regulators the power to enforce in the context of accountability—data protection by design, failure to conduct a data protection impact assessment…and documentation. If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.”
Don’t risk your company’s revenue, reputation, or future. Even if you aren’t within reach of the very long arm of the GDPR, keep in mind that it’s 2018. You will face a cyberattack. Your only option is to be prepared.
Contact Avalon Cyber today for a free security assessment.