Avoiding fines for data breaches

The General Data Protection Regulation (GDPR), the most important change in data privacy in 20 years, will take effect on May 25, 2018. The new regulation, in force since April 2016, replaces the current data protection directive of 1995, and is truly enforcing data privacy. Its objectives are to give Europeans control over their personal data by simplifying the regulatory environment for international business.

The impact for companies is serious: Unlike previous privacy legislation in Europe or elsewhere, the GDPR authorizes the government to impose severe fines up to 20 million Euros or 4% of the annual global revenue, whichever is higher. And unlike the protection directive it’s replacing, the GDPR applies to all companies in all countries in and outside the EU who handle data collected from residents of Europe.

The GDPR is the most stringent and comprehensive data privacy regulation to date, and there is no marginalizing the amount of time and effort it will take companies to properly comply. A survey found that only 9% of SMB companies say they are prepared for the regulation, while 32% said their organization doesn’t have any plan in place, despite knowing the financial consequences of non-compliance.

Below are some essential questions every company should ask themselves as they progress towards GDPR compliance.

What data is your organization collecting?

The GDPR separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights. Many companies will find it difficult to even begin engaging the right processors to meet GDPR compliance because they are unaware of what personally identifiable information is being collected and who’s involved in that process. A thorough analysis of the business process is pertinent as well as a detailed inventory of the personal data stored in all possible hardware (e.g. servers, notebooks, DVD and CD ROM’s, USB sticks etc.) as well as any clouds used by the company or its employees. It’s also important to have conversations with those in charge of handling the data. These conversations should pertain to what the data is being used for, how and where it is being collected and stored, and whether its collection is necessary or not.

How is the organization securing this data?

The GDPR requires that data be processed in a way that ensures an appropriate level of security, including “protection against unlawful processing, accidental loss, and destruction of data.”

The problem most companies will face on the way to ensuring this level of security is that they are unaware of who has access to sensitive data. With cyber risk abounding and data breaches dominating headlines, the customers’ data privacy is of utmost importance. It is often the case that the organization has policies in place that stipulate how data should be secured. However, it’s one thing to have a policy in place, and another to ensure it is implemented.

What response systems are in place if a breach should occur?

The GDPR mandates that a breach has to be reported to the supervisory authority and all potentially affected individuals within 72 hours of occurring.

A problem companies may encounter when addressing this stipulation is that they do not have a system in place that, one, knows exactly who the affected parties would be, and two, has the power to alert these parties in such a short amount of time.

Can the organization prove GDPR compliance?

Those that fail to show they are taking steps to comply with the GDPR will face fines and liability for negligence. Let’s assume a company is taking steps towards GDPR compliance and a breach occurs. The organization will be able to avoid these fines if they can prove they’ve taken steps towards compliance by way of thorough reporting and documentation. If companies have taken these steps, but cannot prove it, they will be held liable as the regulation clearly stipulates the obligation to demonstrate compliance. Many organizations find it difficult to prove compliance even when they’re taking the steps to achieve it. This may be because they do not have a system in place to keep track of the multitudes of processes involved in a large regulation like the GDPR. Or perhaps they are trying to document their progress, but do not have a way of consolidating the documentation.

The Key to Successful GDPR Compliance

Survey results show that 82 percent of global IT and business professionals responsible for data security at both SMBs and enterprises are concerned with GDPR compliance. Although the majority of global IT and business professionals express compliance concerns, respondents lack general awareness of GDPR, and they are neither prepared for it now, nor expect to be when it goes into effect. Respondents in Germany feel most prepared for GDPR (44 percent), while respondents in Benelux (Belgium, the Netherlands, Luxembourg) feel least prepared (26 percent). More than 75 percent of respondents outside Europe say they are not or don’t know if they are prepared for GDPR. Here is some general advice:

Hire a data protection officer (DPO). A requirement for GDPR for all companies with more than 10 employees, the position can be full-time, or filled by an employee with other responsibilities or an outsourced agency.

Control access management. To satisfy GDPR, employees and contractors must have the correct access permission to do their jobs and nothing more.

Protect the perimeter and facilitate secure mobile access.

Establish a personal data handling policy and include security and appropriate protection.

Document all your internal methods and regulations and have proof available for any audits.

What to do with Email communication and Large file transfer

While many companies have already secured their hardware and access channels through the course of the past years, no security had been applied for email communication or data transfer. An average employee sends about 10 – 20 emails a day and many of them may contain sensitive personal data such as religion, ethnic origin, political orientation, health and others. The RMail plug-in helps to avoid such a breach with a patented solution for an auto-TLS encryption when sending emails to recipients. The plug-in can also provide end-to-end encryption with password protection and has the capability to transfer large files up to 1 GB securely. This method guarantees full compliance by using state-of-art encryption and also provides an auditable proof with all requested information about the sender and the recipient, the IP locations, the routing of the email including UTC time stamps. The RMail solution enjoys by far the highest acceptance due to the simplicity at the senders’ side and the fact, that any recipient can receive all these encrypted messages without having to register, enroll or click through hundreds of obstacles before reading the content of such an email. It’s high time to get started….

Click here to find out more about RMail