Seems that all anyone in the cybersecurity business can talk about these days is the General Data Protection Regulation (GDPR.)
And with very good reason! As our CISO Paresh already so articulately explained – the GDPR is a far-reaching set of new regulations, with some pretty dire consequences for those who are found non-compliant.
So make sure you’re going to be compliant.
Make sure of it now, before the regulation officially becomes enforceable on May 25, 2018. That may seem like plenty of time for businesses to get their cyberducks in a row, so to speak, but it’s not really. There’s a lot to be done. Here’s a quick rundown of the five major changes that enterprises need to be aware of and adapt to. Before it’s too late.
GDPR will require enterprises to start thinking of privacy concerns at the beginning of any new project – not at the tail end. Tacked-on privacy protections historically aren’t nearly as effective as those that are built right into the DNA of a project, from the outset. Prep Tip: Alert all employees that they now have to invite a new person to kickoff meetings. Company security pros must have a seat at the table when all kinds of new projects are beginning – from sales projects, to marketing endeavors and any other kind of non-technical projects.
A New Role
Time to bump out that org chart. If you don’t yet have a Digital Protection Officer – you will soon. Even if that person is one and the same as your current CISO or other security professional, their new duties are viewed as crucial to the operations of the business and extremely important. How important? This role must report directly to the highest level of management and must not carry out any other tasks that could result in a conflict of interest. Prep Tip: Start thinking of who the right candidate for this role, new or existing, might be.
You have 72 hours. That’s it. That’s the maximum amount of time that is allowed to elapse between the moment an enterprise becomes aware of a data breach and the time that you alert authorities and any affected customers. This is more daunting than it sounds. Many companies might overconfidently overlook the need to prepare a clean, clear way to communicate about breaches to their customer base. Because many companies are accustomed to running all communications through legal, marketing and PR teams, they’re used to taking their time crafting customer-facing messages, especially bad news. With the dawn of the GDPR, that timeline shrinks dramatically. Prep Tip: Pen that language now. Imagine a breach happening and start writing out a template you can use later – should the worst-case scenario come to pass.
First Time for Everything
The GDPR throws its arms wide. Global-wide. Many US-based firms have never had to deal with European regulations before. But with the ‘extra-territorial’ reach of GDPR, many US companies will have to comply. These categories include any company that offers products or services to any European residents PLUS any US-based data aggregator that collects and resells EU customer data. If you even employ one European person, you must comply. Prep Tip: Start your in-depth, intensive auditing of all of your business touchpoints now. Assume you must comply until your IT, HR or finance department can 100% confirm that you do not need to.
Breach Not Required
Speaking of assumptions, many enterprises assume that their GDPR-related ‘activities’ are only triggered if they experience a security breach, or if a customer lodges a security complaint. Not so. Think of GDPR as IRS auditors. You need to have your paperwork ready regarding your processes and security measures, even if you aren’t ever breached. You still must be ready to demonstrate that you are adhering to the new security and privacy regulations. Prep Tip: Get your arms around what you already have done, even before the GDPR goes into effect. Document it all. As you build upon your efforts, build upon this documentation as well.
Worried you might not be ready?
Talk to us and we’ll help you think through the GDPR implications for your enterprise. Fill out this short form and someone will contact you asap!
Shawn Keve is responsible for sales, business development, channel partners and marketing at Simeio. He played a key role in growing the business 20 times, making Simeio one of the fastest growing companies in North America.
Previously, Shawn was Consulting Director at Oracle and Director of Professional and Managed Services for Sun Microsystems (prior to Oracle’s acquisition of Sun), where he was responsible for the sales and delivery of a $100M portfolio of IT services. Before joining Sun, he held leadership roles at Netscape (acquired by AOL), KPMG Consulting, and MIT Lincoln Laboratory.
Shawn has over 22 years of experience servicing clients in the strategy, architecture, design and implementation of enterprise solutions across several industries, including financial services, healthcare, life sciences, manufacturing, media & entertainment, telecommunications and retail. He holds a Bachelor of Science degree in Business Administration (Management Information Systems) from Northeastern University.