Now Hiring – Data Protection Officer Experience Not Necessary
There is starting to be much ballyhoo about the General Data Protection Regulation (GDPR) and the potential impact, when it becomes mandatory on May 25th, 2018.
How, I am beginning to wonder, are organizations protecting personally identifiable information (PII) right now? Hello, welcome to the world of data breaches.
Vendors with somewhat of a relevant interest would like to see a groundswell of panic about the GDPR ramifications concerning noncompliance. Yes, we vendors are a sorry lot sometimes.
Back to the question. How are organizations handling this now? I would hope that formalized approaches are in place, suggesting that organizations are in fact good data stewards. Guess not.
So what does the GDPR expect of organizations? A data protection officer, for one thing. Who needs one? According to Gartner, any organization that is a public body, is processing operations requiring regular and systematic monitoring, or has large scale processing activities.
In addition, organizations must demonstrate an accountable posture and transparency in all decisions regarding personal data processing activities. Data transfer to any of the 28 EU member states is still allowed, as well as to Norway, Liechtenstein, and Iceland. Transfers to any of the other 11 countries in the EU deemed to have “adequate’ levels of protection are still possible. Outside these areas, safeguards should be taken.
Hey, we have rights too. From an individual’s point of view, we have the right to be forgotten, to have data portability, and to be informed of data breaches.
In order to be compliant with GDPR, an organization must meet several criteria. Failure to comply can result in significant fines. The top criteria are:
- Use or maintain policies and procedures for the anonymization and deidentification of personal data
- Conduct a full audit of EU personal data manifestation
- Use US cloud repositories implemented with EU encryption
- Evaluate all third-party operational partners that access personal data transfers
“With nearly five billion data records exposed in the past four years alone there is a clear trend toward stronger protection of consumer data, and GDPR is a major first step in that direction,” noted Anthony Di Bello, a senior director at Guidance Software. “This data suggests that many organizations are, on the whole, behind schedule for compliance. Security leaders must make GDPR a priority over the next year in order to avoid major financial penalties.”
Meanwhile, a survey from WinMagic, which attempted to establish how current data policies at global organizations align with GDPR, finds that there is still a great deal of preparatory work to do by many firms in order to avoid substantial noncompliance fines.
Fifty-four percent could not say all personally identifiable information was protected through anonymization and encryption in all digital locations. Fifty-two percent could report a data breach within 72 hours of discovery to authorities. Forty-six percent said they could precisely identify the data that had been exposed in the event of a data breach.
What if you could find out immediately and prevent damage? Our solutions can do that.