The European Union's (EU) GDPR marks the most important change in data privacy regulation in the past 20 years. While it gives individuals better peace of mind regarding their personal data, it also creates new pressures for companies that operate in Europe. For example, GDPR mandates strict parameters and complex reporting procedures. To have a prayer of meeting these, organizations should begin preparing now.
GDPR’s impact is global: any organization – whether based in the EU or not – is subject to GDPR when they offer goods or service to data subjects in the EU or collect data concerning any EU citizen. The penalty for non-compliance is large: Failure to notify supervising authorities and data subjects of a breach within 72 hours could result in fines of €20 million or up to 4% of a company’s global annual revenue. This is not the kind of spend that a CIO or CEO wants to defend to their board of directors.
If you think 72 hours seems pretty short you’re right. After all, according to a recent study, the average time to respond to an incident is still a challenge. Forty-one percent of the respondents to a Ponemon Institute study said the time to resolve a cyber incident either increased significantly or increased from 2015 to 2016. Now imagine the pressure to not only identify a breach within three days, but to notify all of the right authorities.
Most organizations have room for improvement when it comes to cyber response: Another Ponemon study found that as many as three in four organizations admit they lack a formal cyber security incident response plan applied consistently across the organization. That study further explains that data breaches have become a consistent "cost of doing business" for companies, which might explain the lack of enthusiasm for investing in a formal plan.
The preparation process should start now. Particularly in light of the short time frames and hefty fines, starting early will go a long way for when GDPR goes into effect next year. The scope of GDPR will require complex reasoning and decision-making, and a very comprehensive notification process that may span continents and multiple authorities. An example of how confusing this can be: If your company is not headquartered in the EU, but have two different offices in the EU making decisions on processing data, it could be unclear which authority you’ll need to report breaches to.
GDPR response, therefore, will need to orchestrate not only technology, but also people and processes.
- Have a plan. When preparing for GDPR, having a robust response plan in place is an important first step. Security teams should also consider mapping out how response will happen if a breach is impacted by GDPR. From there, creating or adapting processes so that the appropriate measures are taken when an incident occurs. Keep the people aligned by outlining key tasks and assigning owners across the company to ensure accountability.
- Practice your plan. Under the GDPR’s short notification period there is no room for error. An important best practice is running a simulation every quarter to test out something that perhaps the company doesn't have regular experience with. For example, analysts can rehearse assessing a risk and running through the steps involved in engaging with a Data Protection Authority and notifying the people whose data has been compromised. This frequent practice can help to identify gaps and areas of improvement.
GDPR adds a new set of challenges for any company doing business in Europe, and the next 12 months will go by much sooner than we think. The far-reaching provisions and stiff penalties will put a company’s bottom line at stake and put the most complex part of managing cyber incidents – response – under the microscope. However, companies that begin properly preparing and practicing now to make their data breach response GDPR-compliant will be ready for the GDPR challenge next spring.
Ted Julian is vice president of product management and co-founder of IBM Resilient.