The Move Towards Board Involvement
Regulators are the catalyst for stronger measures in cyber security, and new regulation from the EU is going to have a serious impact on organizations that process EU citizen data. After four years of diligence and debate, The EU Parliament approved the Global Data Protection Regulation (GDPR) on April 14, 2016. It will enter into effect on May 25, 2018, at which time those organizations in non-compliance will face heavy fines.
“GDPR is a revolutionary regulation, brought in to replace the Data Protection Directive 95/46/ECand was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy, bringing cyber into the boardroom,” according to Ariel Evans, CEO of InnoSec a GDPR expert.
The key articles of the GDPR, as well as information on its business impact are of high interest to boards and senior executives. Under GDPR, organizations could suffer from hefty fines of up to 4% of annual global turnover or €20 Million, whichever is greater, in case of a breach.
Such a fine could be enforced for serious infringement such as not ensuring the security of the systems that process EU citizen data and lack of risk assessments. Member states can also add to these fines. The Netherlands, for instance, has more than doubled its own fining capacity to 10% of annual revenues.
The idea is to make organizations proactive about their security at a boardroom level and prevent data breaches of EU nationals from occurring.
“Alignment with these requirements can reduce the chances of triggering a Data Protection Authority (DPA) to investigate a company’s privacy practices,” notes Evans. European privacy advocates are pressuring DPAs to fully exercise these new powers after May 2018. To manage this risk, multinationals should have a means to demonstrate alignment with the GDPR requirements and communication of this program with DPAs that have jurisdiction over their major European operations.
“GDPR compliance also helps to mitigate their other business cybersecurity risks,” explains Evans. “There are many, many similarities between GDPR and other global regulations relating to data protection and privacy. The impact however is greater and its scope is extensive.”
The regulation applies if the organization or data processor is processing EU citizen data. This includes organizations based outside the European Union if they process personal data of EU residents, expanding the scope to all global organizations regardless if they’re based in Europe or abroad.
Says Evans, “GDPR consists of about 100 different articles, including the need to conduct a Privacy Impact Assessment (PIA), protect customer data, as in applications need to be secured by default and by design, and requires system risk assessments, as well as articles related to the rights of customers, for example, to ‘be forgotten,’ and 72-hour breach notification notice.
“Preparing for the GDPR and complying with its obligations once it enters into force will require significant resources and commitment from companies. Automating as much of the requirements will reduce costs and resource requirements.”
On top of that, less than 20% of organizations are ready for GDPR: “Setting up an adequate structure and determining responsibilities will be an essential first step,” explains Evans.
She continues, “On the operational level, a PIA is needed to assess your current security controls to determine the effectiveness of the confidentiality and integrity of your systems. Based on these findings, a risk assessment will determine where to focus your cyber security control needs.”
GDPR will change the way organizations move from check box compliance to proactive security programs with board involvement. Since regulator can request information at any time, not having it is an immediate breach of the regulations. Additionally, GDPR impacts the supply chain and compliance requests from other organizations will become a prerequisite to do business with the EU.
After the GDPR is in full effect, only time will tell the effectiveness of this regulation and its impact on consumer security.