With less than a year until the General Data Protection Regulation starts being enforced, every organisation needs to sit up and take compliance seriously.
Etienne Greeff, CTO & Founder of SecureData
Even though the clock is ticking, 50% of companies still haven’t made any preparations for the GDPR. Meanwhile, many other organisations are still struggling to map out the EU’s new requirements and bring their existing systems into line.
With the GDPR ushering in record fines and the public disclosure of breaches, it’s essential to know whether your business really is ready. Here are the top five warning signs we’ve seen from companies that still have work to do.
1) You don’t understand your security
No organisation can know how near or far it is from the GDPR compliance without a clear understanding of where it is today. Only with a complete assessment of their existing security posture will organisations have the visibility to see vulnerabilities, close crucial gaps and drive cost-effective compliance.
2) You have no visibility into your data
Before the emergence of the GDPR, there was a strong temptation to store away as much information as possible about customers, partners and employees for later use. However, all those dusty data silos are now a real hazard. Businesses with poorly organised data stores have their work cut out for them.
To ensure compliance, organisations must understand what data they hold, where it is and whether it’s effectively protected. With the new regulation giving individuals more control over their data than ever before, businesses must also be able to locate, access and remove information on request.
Data controllers will also have to carefully vet third-party data processors to ensure they can provide adequate security, sharing equal liability for any breaches that take place under their watch.
3) You’ve never detected a data breach
According to PWC, 90% of large organisations and 74% of SMEs have been breached in recent years, but 83% of businesses take weeks or more to discover what’s happened.
Firms that struggle to detect compromises – or worse, believe they’ve never been breached – will be unable to meet the GDPR’s security monitoring requirements. Soon firms will need to identify and report breaches within 72 hours, or at least ‘without undue delay’.
To protect sensitive data in real-time, organisations need the ability to detect anomalous behaviour, zero-day threats and other risks missed by traditional security solutions.
4) You have no access to security expertise
With 40% of organisations openly admitting their employees haven’t received any privacy training, access to scarce security expertise will form a crucial part of the GDPR compliance. Almost half of security professionals now cite the global talent shortage as a major cause of data breaches.
Any organisation lacking security and compliance skills either needs to start hiring, or turn to dedicated managed security service providers for help. Expert people overseeing the GDPR compliance won’t just ensure ‘privacy by design’ and maximum protection for the data being held, it can make security a competitive differentiator.
In a world where data breaches are always in the headlines, customers and partners will be more willing to do business with those that have effective, expert security in place.
5) You have no incident response strategy
When the worst happens, organisations must be able to demonstrate they’re responding quickly and effectively. Data breach investigations must be rigorously recorded so the authorities can see how firms are remedying the problem.
Organisations need to ensure they have the people, procedures and systems in place to react swiftly to a security breach as it happens, while also building-in contingency plans for critical systems, data and applications. Having the capabilities in place to understand and minimise the fallout from a breach immediately, as well as prevent the same issue from reoccurring, will mean companies are in good stead when reporting any issues.