Soon the talking will stop. On 25 May 2018, the EU General Data Protection Regulation (GDPR) will become law across 28 European member nations with an impact on every organisation looking to do business in or with the continent. For those owning or processing personally identifiable information (PII), this is the biggest change to data laws since the 1995 Data Protection Directives.
Colin Truran, Principal Technology Strategist at Quest, is aware of the potential impact and the ticking stopwatch. With just months to go before implementation, Truran says organisations concerned that they are running out of time should start by recruiting a Data Protection Officer (DPO). “They can either appoint one or they can hire one via an agency if they are a small organisation,” Truran says. The DPO’s role is to co-ordinate and delegate efforts to put a company’s data collection and reporting house in order. A good DPO, Truran says, will “go through an assessment to understand where an organisation is and where they need to get to, effectively carrying out a gap analysis.” In short the DPO will ensure the business understands the risks and then co-ordinates responsibilities.
It’s worth noting, however, that the DPO’s primary duty of care is to “data subjects rather than their business”. It is the DPO’s job, says Truran, “to report to the data commissioner. In the case of the UK, that means the ICO [Information Commissioner’s Office].”
Near the top of the DPO’s in-tray will be a need to understand the scope of the PII an organisation holds and processes. This is not the first piece of legislation or standard to deal directly with PII – the Payment Card Industry (PCI) Data Security Standard, for example, obliges businesses to better control access. Nevertheless, the definition of what is considered PII is more “wide-ranging” under GDPR, says Truran. It includes, for example, any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification.
“Organisations are faced with the challenge of identifying where that information is and then how to control it,” he explains. “They’re also going to have to understand who has access to it. They have a duty of care with that information and they need to respect the lifecycle of that information and how it was given to them.”
Only those that actually need access should have access. Remove access from those that have it but don’t use it to reduce the potential risk. “It’s too easy for organisations to drift when it comes to security,” Truran says. “It’s almost as if you are dealing with a patient. You need to be able to have a finger on a pulse, understand what is happening in your organisation. You may not have a breach but you may have internal bleeding.”
When a breach does happen, it’s important to understand how it happened – they can occur very quickly but are likely to be rooted in weakness identified by an attacker long ago – and to react with speed. Under GDPR, a breach must be reported within 72 hours. This, says Truran, is an enormous undertaking especially given responsibility for data is now jointly held by owner and the processor. “Seventy-two hours is not a lot of time,” says Truran. “So what you need to do is delegate out, alert quickly and have complete visibility so you can understand the scope of the attack.”
Watch the video CBR/Quest video interview here.