We may have voted to leave the EU – but that doesn’t mean you can ignore the GDPR. It will affect all UK business whether we are in, or out, of the EU. So you need to ensure you understand what GDPR is, how it will affect you and what you need to do to be compliant.
Although GDPR doesn’t come into force until May 2018, says Jamie Graves, implementation can easily take months – so it’s best to start thinking, and planning, as soon as possible. Graves advises the following:
The Commission defines personal data as "Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address." This definition means it is wide-ranging and will have an impact on any organisation, in or outside, the EU.
As the EU intends this regulation to apply to any and all data held on EU citizens, it will impact UK businesses that want to process or store EU citizen data. In other words, you will still need to comply with the new regulations even after Brexit.
One of the new changes to the legislation is the right of the citizen to be notified if their data has been breached or compromised. Included in the GDPR is a requirement for an organisation to contact their Data Protection Authority (DPA) within 72 hours of learning about a breach. No exceptions - with failure to comply resulting in potentially crippling fines starting at €10 million – or 2% of global turnover.
One of the big changes relates to the need to respond to any data breach within 72 hours of detecting it. This is a big ask considering it currently takes around 200 days to detect a breach. You can see this as a burden - or view it as the opportunity it is.
Continuous monitoring requires a set of capabilities that gives you insights into what's going on in your organisation every second of the day. However, there are supporting factors that contribute to this successful approach, which are;
1. Responsibilities - Data protection doesn't just lie with the IT department. Our opinion, at ZoneFox, is that it's everyone's responsibility, with the board responsible for leading and implementing a security culture from the top.
2. Assets - There are some good tools on the market, for example nmap, that will allow you to discover and classify where your critical information is held. Once you know where it is, you need to understand how it's being accessed by both internal and external actors.
3. Risk Assessment - In order to monitor effectively you'll need to perform a risk assessment. This will inform you of where you need to focus your limited resources on mitigating the top risks to your organisation.
4. Education - This relates to the need to ensure everyone knows their responsibilities and the reasons why certain policies and processes are in place. Without everyone on-watch, your task is going to be a lot harder.
UK companies have less than two years to implement GDPR processes and systems. Take a look at the handy downloadable timeline which will give you insights into what needs to happen, when you should start doing it, and how long it should take you.
The main takeaway? Don’t panic! There’s still time - if you start preparing now.
By Jamie Graves is CEO of ZoneFox, an Insider Threat detection platform