Best practices for GDPR compliance

by

27 October 2016

 

Dell's latest global survey on the European Union’s new General Data Protection Regulation (GDPR) has revealed that organisations, both SMBs and large enterprises, lack general awareness of the requirements of the new regulation, how to prepare for it, and the impact of non-compliance on data security and business outcomes.

Expected to be fully effective in May 2018, this new regulation provides uniform data protection rights across the EU and outside EU.

This survey reinforces the global lack of general understanding of GDPR, the scope of the regulation, and what organisations need to do to avoid stringent penalties, said Lennie Tan, Sales Director, Identity and Access Management, Dell APJ.

"Results also show that while some organisations ‘think’ they are prepared, they will be in for a rude awakening if they experience a breach or must face an audit and are subject to the consequences of non-compliance with GDPR".

Best practices will help successfully address GDPR requirements and avoid the consequences of non-compliance, said Dell.

The Dell survey highlights the need for organisations to start addressing all GDPR requirements now by beefing up solutions for access governance and management, secure mobile access, email security, and protecting the perimeter of their networks.

According to the report, although the majority of APAC (Australia, New Zealand, Singapore, Hong Kong and India) IT and business professionals’ express compliance concerns, respondents lack general awareness of GDPR, and they are neither prepared for it now nor expect to be when it goes into effect.

The research findings reveal that over 70 per cent of enterprise respondents in APAC either are not or don’t know if they are prepared for GDPR. On the other side, nearly 70 per cent of SMB respondents in this region said they are not or don’t know if they are prepared for GDPR.

Additionally, 95 per cent of APAC respondents say their existing practices will not satisfy the new GDPR requirements. The survey data also indicates that 85 per cent say they would not, or were not aware whether their organisation would face penalties in its approach to data privacy if GDPR had been in effect this past year.

The survey, conducted by Dimensional Research and sponsored by Dell, also found that 76 per cent of IT and business professionals in APAC responsible for data security at both SMBs and enterprises are concerned with GDPR compliance.

Results further show that while organisations realise failure to comply with GDPR will impact both data security and business outcomes, they are unclear on the extent of change required, or the severity of penalties for non-compliance and how changes will affect the business.

“To be in compliance, both European organisations and those outside of Europe that do business there must adopt an adaptive, user-centric, layered security model approach around the tenets of prevent, detect, respond and predict,” said Eric D’Angelo, Regional Sales Director, Asia Pacific, Dell Security.

Dell has identified the following tips and strategies to help organisations adhere to security disciplines needed for GDPR regulations, so they can protect customer personal information, and avoid the data breaches, heavy fines and loss of reputation that may result from non-compliance:

  • Hire a data protection officer (DPO). A requirement for GDPR, the position can be full-time, or filled by an employee with other responsibilities or an outsourced agency.
  • Deploy a firm access governance solution. The ability to govern access to applications that permit access to EU citizens’ personal data, particularly unstructured data, is a major factor in data security and GDPR compliance. Governance generally requires periodic review of access rights by line-of-business managers and attestation/recertification that the permissions align with their job roles and don’t compromise data security.
  • Control access management. Employees and contractors must have the correct access permission to do their jobs and nothing more. The right identity and access management technologies that facilitate this level of control include multi-factor authentication, secure remote access, risk-based/adaptive security, granular password management, and full control over privileged user credentials and activity.
  • Protect the perimeter. Deploy next-generation firewalls to reduce the network’s exposure to cyber threats, mitigate the risk of data leaks that could lead to a data breach resulting in stiff penalties assessed under GDPR, and deliver the forensic insight required to prove compliance and execute appropriate remediation following a breach.
  • Facilitate secure mobile access. Enhance data security by combining identity components, device variables and temporal factors such as time, location, etc. to deliver an adaptive, risk-based approach that ensures the right access all the time, every time, while concurrently improving data protection and GDPR compliance.
  • Ensure email security. Achieve full control and visibility over email activity to mitigate the threat of phishing and other email-based attacks on protected information, while enabling the secure and compliant exchange of sensitive and confidential data.

Don't put off early consideration of GDPR by the two-year implementation period, advises global market intelligence firm IDC. "The scale, complexity, cost and business criticality of GDPR means that it will take at least two years for most companies to achieve full compliance. Most companies need to start now."