If Most IT Security Professionals are Aware of GDPR, Why Are Less than Half of US Businesses Preparing?

Featured article by Terry Ray, Chief Product Strategist for Imperva, Inc.

Well-talked about in international circles, the European General Data Protection Regulation (GDPR) is a new regulation to protect the privacy of European citizens – however, many people may not realize that it applies to all businesses that hold and process personal data collected in the European Union, regardless of their industry or location. It becomes effective on May 25, 2018, so there is just over a year to prepare. It sounds like a long way off, but will there be enough time for your company to comply?

Why should you care? Because fines for certain violations may be up to the greater of €20 million or four percent of total worldwide annual turnover. Companies with significant revenue could face billions of dollars in fines.

A survey on the current state of company preparedness for GDPR was recently conducted by Imperva among 170 security professionals was taken at RSA 2017, the world’s largest security conference.*

According to the survey, we might not be as familiar with GDPR as we should be. While 51 percent of respondents said GDPR would impact their companies, nearly a third of the respondents didn’t see the GDPR regulations impacting them, 11 percent were unsure if GDPR would impact their companies and 5 percent were not familiar with GDPR at all.

The survey also showed an overall lack of urgency among the IT professionals surveyed with 43 percent of respondents indicating that they are evaluating or implementing change in preparation for GDPR, 29 percent indicating that they were not preparing, and another 28 percent signifying that they were unaware of specific preparations.

In asking survey respondents about who is driving GDPR compliance in their organization, 49 percent of survey respondents cited their organization’s legal department, while 8 percent said the IT department is managing the process.

U.S. companies should be evaluating the impact GDPR will have on their data practices, given these major fines for non-compliance. It’s imperative to begin the GDPR legwork now by documenting how personal data is collected and processed in the organization. From what we’ve seen in working with our clients on GDPR readiness, the projects are complex and involve multiple teams, technologies and systems.

One of the first things IT teams need to do is a Data Assessment Report, which requires organizations to locate any personal data they are holding and document how the data is collected and processed. This detailed assessment must be kept current and ready for regulatory inspection or compliance audits.

However, one of the key challenges is finding that data. When you are a large enterprise, this will take more than just a call to your IT department. This is one of the first challenges of GDPR and an issue which all businesses must address.

Perhaps most significantly, the new regs require any company that experiences a data breach to publicly acknowledge the breach and notify the local Data Protection Authorities (DPA) in the member states where the people affected by that breach reside. Businesses must notify the DPA/s within 72 hours of identification or confirmation of the breach. They must be able to tell them what data was breached, how many records were taken and provide a member state specific report around the infringement. This requirement essentially means all businesses need to be able to understand who accessed the data, what activity they performed and when they performed it. This is an area where it is important to have strong technology solutions in place, so your organization can easily provide the requested information within the 72-hour window.

Another requirement of GDPR is being able to limit who has access to certain information and making sure that access is authorized and reflects any changes within the business. It’s important to analyze policies on data collection, handling, test data usage, data retention, and data destruction. At each point, access must be on a need-to-know basis. Users should not be allowed to accumulate access rights as they are promoted or move laterally within an organization. Privileged accounts, including DBAs, Admins and Service accounts should be carefully monitored to ensure they are not used to bypass policies.

There are many more important standards to meet, which can be found at https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Preparing for and adhering to GDPR may seem overwhelming, but the outcome will ensure a much more secure environment for personal data, which can only be seen as a positive step.

*Survey Methodology
Conducted Feb. 13-17, at RSA Conference 2017, the trade show with the largest concentration of security professionals, the in-person survey is based on responses from 170 attendees including IT professionals, managers and executives from the U.S. (77 percent), EMEA (13 percent) and other regions (11 percent). To view the full survey results, visit bit.ly/2p5kYkS.

About the Author

Terry Ray is the Chief Product Strategist for Imperva, Inc., the leading provider of data security solutions. Terry consults directly with Imperva’s strategic global customers on industry best practices, threat landscape, data security implementation and industry regulations. He also, operates as an executive sponsor to strategic customers who benefit from having a bridge between both company’s executive teams. During his 14 years at Imperva, he has worked hundreds of data security projects to meet the security requirements of customers and regulators from every industry. Terry is a frequent speaker for RSA, Gartner, ISSA, OWASP, ISACA, IANS, CDM, NLIT, The American Petroleum Institute and other professional security and audit organizations in the Americas and abroad. Since 2003, Terry has specifically focused his efforts on data security and risk, working with companies to help them discover and protect sensitive data, and create controls to minimize risk for regulatory governance, data security strategy and best practices.