Subscribe to Cyber Resilience Insights
Get the latest cybersecurity news, analysis and tips delivered to your inbox every week.
GDPR, the European Union’s General Data Protection Regulation, goes into full effect in May 2018. Yet many organizations aren’t ready to comply – or even thinking they need to comply.
We gathered the common myths and misperceptions about this data protection law and compiled the answers you need to better understand the requirements and support your compliance efforts. comply with GDPR requirements.
This is the biggest misconception out there. GDPR doesn’t apply based on the geography of your enterprise. Rather, the data regulation is based on the location of your users or customers. So if you exchange emails with EU residents or have site visitors, customers, users, etc., who reside there, you must comply with the regulations. Read the full text of the GDPR regulation.And if you don’t take adequate measures and something goes wrong, you may be subjected to hefty fines.
The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person...who can be identified, directly or indirectly... by reference to an identifier.” This includes personally identifiable information, personally identifiable financial information and personal health information, plus:
Previously collected personal data that’s been completely anonymized and cannot be re-identified to an individual is excluded.
“Children merit specific protection,” the regulation’s authors wrote, “as they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data.” Specific protections apply to organizations using minors’ personal information for marketing, creating personality or user profiles, or offering services/products directly to young people.
GDPR strengthens data security with new permissions for gathering, accessing and using all this personal data, too. You need to post your policy for data collection and use simple language and enable affirmative or express consent. Article 4(11) states that consent must be “by a statement or by a clear affirmative action”, and prohibits making consent a condition of participation. The days of auto opt-out are over.
“You mean, ‘I haven’t had a data breach yet’,” says Mimecast expert Dan Sloshberg. “All businesses are being targeted by cybercriminals. If you hold valuable data – personal data, IP, customer data and others – you are a target. Small businesses with 250 or fewer employees are being targeted too. In fact, 43% of cyber attacks target smaller organizations, up from 18% in 2011.”
Email remains the number-one attack vector with over 90% of attacks starting in your inbox – and it frequently includes a massive amount of personal data.
“Email was never built to be inherently secure, therefore, it’s a weak link and open to exploit,” Sloshberg cautions. “Email security is key, but this protection must go beyond spam and virus controls.”
Ultimately, whether or not you invest GDPR compliance comes down to risk. “Some organizations may be willing to take on greater risk than others,” Sloshberg says. “The key criterion is to determine what the potential fallout would be if the worst does happen – you suffer a breach and personal data is stolen. What would it cost to clean up versus protect against in the first place? Can you put a price on the reputational damage that will occur? What impact will that have on business operations and finances?” Understanding your cyber resilience capability is critical.
Because GDPR focuses on the protection of personal data, and not just data privacy, compliance requires more concerted effort.
You must be able to:
The challenge is putting in the right processes and technology to protect and manage personal data when budget and IT skills and resources are generally tighter than ever before. Learn more about creating an action plan by downloading the GDPR Readiness Kit.
Because email is an easy target, email security is a good starting point. Your plan must include advanced protection against email security threats like ransomware and impersonation attacks, which use malicious links designed to steal credentials, weaponized attachments to drop malware behind the firewall or deploy social engineering to trick targets into divulging sensitive data. Sloshberg recommends deploying a cloud email service, which updates automatically based on new threats.
You also need to look at your email archives, since GDPR has requirements for locating personal information quickly. “Once found, data must be easy to export and even delete if requested,” he explains. “Cloud archiving provides the scale and speed needed to deliver on these requirements. A native cloud solution designed for speed, accuracy, and ease of access is key.”
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly