By now we all know GDPR is coming soon. Still, I think some businesses have a lot to do and, I’m sorry to say, these will include those believing they’ve bought a solution that makes their organisation ‘GDPR-proof’ (see point 3 below). So, here’s my 6-step plan to make sure you’re really ready.
Understand what GDPR really is
Know what you’re dealing with. Any business processing or storing personal data of an EU citizen has to comply with GDPR by 25 May (Brexit or no Brexit!). At its heart, this legislation is about empowering data subjects to access the information held on them.
There are 99 GDPR articles, but it’s no IT checklist. The language of the legislation is not only non-prescriptive, but deliberately ambiguous. The only specific technology that gets a mention is encryption. Otherwise, it’s about ‘appropriate controls’ and ’state of the art’ tech. Why? Because recognised technology is moving so fast that tying down the rules to specific IT would mean redrafting the legislation almost immediately.
One of the most high-profile elements of the legislation is around the 72-hour limit to notify the Information Commissioner’s Officer (ICO) in the event of a data breach. This isn’t just about telling the ICO something’s happened. You’ll need details of the data and areas in your environment where the perpetrator has been.
So, if you were breached last thing on a Friday, you need to be in a position by close-of-play Monday to provide the ICO with all the details as laid out within the breach notification form. Do you have the people and processes in place to report what data was accessed and extracted?
Recognise the true impact if you get this wrong
You probably already know the fines for data breaches under GDPR are up to 4% of turnover. This is enough to hit businesses of all sizes hard.
But beyond the fines, breaches will cost reputations and revenues too. It should go without saying how much media attention data breaches can receive these days. These stories are reported over days and weeks and affect your customers’ trust, and the likeliness to use you again.
However, the biggest impact may not even be the hit on your reputation – if you fall foul of GDPR, the ICO will be able to seize and stop your data.
This could be the scariest and longest-felt consequence of all.
Beware of GDPR snake oil
I mentioned before how GDPR comprises of 99 articles. Responding to all of these will be about IT and the technical solutions will include data encryption. But adhering to the regulation will also demand organisational change, changes to your process and possibly your people. So, if you see any solution with ‘built-in GDPR protection,’ proceed with extreme caution.
And if you’re asking, ‘Where are the 100% silver bullets?’ you’re asking the wrong question. No quick fix, off-the-shelf solutions are going to ensure your compliance.
Time for a gap check
Getting the right solutions for your business will start by understanding what you already have, what needs tweaking and where you might need a partner to step in. The good news is, for many businesses it will be a case of evolution, not revolution. Check out how we worked with HR software company People, carrying out a gap analysis before developing a GDPR and data security solution tailored to their requirements.
Jump the skills gap
Ok, this is the part where the managed security guy says you might need managed security, but at Cloud Expo the talent gap was one of the hottest topics of conversation.
Managed service providers are being called on for both the skills and training, but also the experience of deploying cyber skills within businesses many times over.
Human enrichment of technology counts. Your tech won’t always spot when you’re vulnerable. You need individuals scanning your environment proactively.
Under Rackspace Managed Security, every 24 hours our experts go into your environment and scan not just for anonymous activity, but anything suspicious that speaks of reconnaissance or privilege escalation. This could be, for example, data being prepared for expulsion, indicating a breach is about to occur. We’d be able to shut this threat down before the damage is done. IT alone can’t do this.
Check your timings
An attacker’s greatest asset is time, so much of ours is spent shutting down that window of time in your environment.
In terms of remediation, when we on-board clients we agree a catalogue of pre-approved actions – this plan automatically kicks in, should a breach occur. And if a threat is detected, our SLA requires us to inform you within 30 mins. We’ll also supply you with a flash report on the breach within 90 minutes. This supports you in having proactive security protocols and the ability to report breaches to the ICO within the 72-hour deadline.
So, if you think your timing is going to be off here, be pragmatic and get the right support and meet your GDPR obligations.Click here to find out how Rackspace can make your data protection journey a seamless one. Alternatively, you can watch this video to understand how other organisations are tackling and adhering to the new regulation.