Changes in legislation like GDPR are always in a top risk list for any business. For instance, in the latest Horizon Scan Report 2017 issued by the Business Continuity Institute, this type of risk was placed 10th (“New laws or regulations”) – a solid jump from 14th place according to the previous BCI report. Moreover, in both reports legislation risks were positioned at the 4th place in the “Emerging Trends and Uncertainties” category.
Being at the top of the business risk scale, these risks are not going anywhere in the nearest future. So what steps should a company take to comply with constant changes to laws and regulations? Let’s take a closer look at GDPR and the latest EU-wide changes in data protection regulations.
What Is GDPR?
General Data Protection Regulation (GDPR) is the latest update to EU privacy regulations adopted in April 2016. GDPR significantly strengthens requirements on protection of the personal data. Some analytics have noted that the new law raises a thorny issue whether businesses can withstand such a challenge. At the same time, new regulations are considered to be a significant milestone in a world roadmap of privacy protection. GDPR affects all sectors of the economy and brings really noticeable changes, namely:
Extended definition of the personal information
A more rigorous reporting of data breaches and personal data violations (e.g. “right to be forgotten”)
Severe fines for personal data misuse or non-compliance.
The legislation pays more attention to information security (confidentiality, integrity, and availability of personal data) and urges all EU businesses to review how their information is handled and protected (e.g., personal data of their customers and employees).
GDPR – the Good, the Bad or the Ugly?
GDPR has launched a storm of critical discussions online and in mass media. We at Infopulse expect that many companies will need to introduce new or strengthen existing technical and administrative measures to protect information. The first security controls to be reviewed for an update are User Access Control, Strong Key Management, and Data Encryption. Additionally, companies have to conduct a serious homework on Data Minimization, Anonymization or Pseudonymization. GDPR forces organizations to show a Management System for continuous improvement of security, which can be based on ISO/IEC 27001 or any other equivalent.
Less than 1 year is left until GDPR comes into effect. Analytical agencies report that business is not prepared now and some organizations will not be able to implement all required changes before May 2018. For instance, the Symantec’s State of European Data Privacy survey says, “91 percent of respondents have concerns about their organization’s ability to comply with the GDPR, due to factors such as the complexity of processing data correctly, in time, and costs involved”.
If you don’t want to be among them, consider this: time is running quickly and first steps have to be taken urgently.
What to Do and How to Start?
Some of the basic activities for any company would be to assign a competent person, learn about new regulations and laws, and create or update personal data inventory. Even these activities can take 1 or 2 months for medium-to-large size companies, especially if they have never dealt with similar projects before.
Things are much better for the companies that are ISO/IEC 27001 certified. Information security experts agree that such companies are almost at the goal: personal data collections are identified, their handling is described, information security is provided, and respective audits are well-established. A significant step is to have a mature Information Security Management System (ISMS) that is well described, measured and continuously improved. In this matter, companies need to take a systematic approach and implement the abovementioned or a similar ISMS. We at Infopulse recommend ISF Standard of Good Practice (SoGP). ISF SoGP is more widespread than ISO/IEC 27001 and embraces other common information security-related standards and best practices (e.g., NIST Cybersecurity Framework, Cloud Security Alliance standards, and PCI DSS).
Best Practices for Compliance
Implementing a personal data protection system may take time and resources, but in the end, you will get full compliance with the latest regulations.
Here’s a case from Infopulse’s own practice. Protection of information and compliance have always been and are a high priority for the company’s management. We successfully refined our business processes for compliance with the local Personal Data Protection laws in 2010. This law was first adopted in June 2010, came into force in January 2011 and since then has been harmonized with the current version of the EU Directives. Initially, we had only 7 months to go through required changes. As Infopulse has a good basis of the respective processes and no issues with resources, this allowed us to launch an internal project immediately and achieve desired compliance status smoothly.
Infopulse consistently works on updating compliance with our customers’ requirements. Our professional services meet quality and security requirements of its customers, which in most cases include statements on the protection of personal data. Together with EVRY, Infopulse participates in the internal GDPR Compliance Project. Our specialists attend webinars and onsite workshops and help our clients to master security practices. All this is necessary to maintain adherence to regulations and to ensure efficient protection of our clients’ confidential information.
About the Author
Oleg Diachuk is a Security Expert at Infopulse; a seasoned professional with 20 years of experience in Information Security; CISSP, CRISC, CISA, MBCI, CISM certified. Mr. Diachuk specializes in Risk Management, Business Continuity & Incident Management, Security Management System Architecture and contributes his talent to developing an efficient holistic Security Management System.