The General Data Protection Regulation (GDPR) is officially going into effect one month from today on May 25th, and its arrival will change how the internet both collects and manages private information.
Under this reform, citizens of the European Union will have more control over the security of their personal data, and websites will be required to follow strict compliance mandates to ensure this data is protected.
So what does this mean for the future of cybersecurity, and how is the digital economy going to be impacted as a whole? Even if your website has no direct affiliation with the UK or EU, it’s still important to be aware of what GDPR compliance entails and create a data processing strategy in advance.
Just because you’re located outside of GDPR borders doesn’t mean you don’t have European connections through vendors, customers or stakeholders.
The penalties for non-compliance are serious which means now is the time to prepare. Here’s what you should know about how the GDPR will shift the landscape of cybersecurity and what measures can be taken to get ready.
What constitutes as personal data will change
This is a broad term which covers anything used to disclose a person’s identity online, but under the GDPR, the definition of personal data will expand even more. Aside from the basics of name, phone number and email address, information like a postal code, driver’s license, passport, credit card, bank account, IP address, workplace, union membership, social factors, genetics and biometrics also need to be taken into account.
Before collecting this data, a website must obtain explicit consent from the person, clarify how the information will be used and honor the right of each individual to withdraw their consent any time, at which point the stored data must be erased altogether.
Data collection and storage will be restrictive
Since GDPR lends itself to the expectation of increased data privacy, this builds pressure on websites to tighten their cybersecurity and even integrate new practices. This means getting highly specific on what qualifies as consent.
Assuming that anyone who visits the website has granted you access to their personal information for marketing uses is no longer an option: you must obtain permission for their data through affirmative action and unambiguous language that is visibly stated on the website. In addition, the data processing must be systematically monitored, and a public breach in this sensitive material needs to be reported within 72 hours of the security violation.
Standard firewall technologies are not enough
In this hyper-connected world, just about every kind of office equipment, from computers and printers to HVAC units and alarm systems to mobile devices, is now internet enabled. This magnifies the potential for even the most secure networks to be compromised, so in response, the preventative measures need to become more sophisticated.
Firewall protection is beneficial, but this software is not adequate on its own anymore. A multi-layered approach to cybersecurity is more effective. Opt for technologies that encrypt unstructured data, automate all manual processing, condense the storage in one location and reinforce the safety of managed file transfers.
Network access endpoints must be integrated
Because multiple connected devices can increase the risk of personal data being exploited, all network access endpoints need to have one consolidated entry dashboard. This streamlines data management across the various endpoints, enhances visibility of the whole endpoint network so internal IT teams can supervise and protect the flow of data, controls who can move through an endpoint to minimize any threats of remote access, and optimizes the detection and response time for suspicious activities.
In addition, merging these network endpoints will create a meticulous and secure audit trail to ensure that you’re remaining accountable to all GDPR compliance directives.
Security risks should be assessed and reported
Data leakage can occur at any stage in the supply chain, so it’s important to perform routine checks on all aspects of this framework including website traffic, social media interaction, email threads and other forms of online engagement. This will identify the areas which are most vulnerable to a security breach, so the right measures can be taken to reduce the likelihood of a data penetration.
A thorough risk assessment also evaluates how efficiently the network access software is functioning to mitigate the spread of viruses, malware and other outside factors that contribute to lost or stolen data. The more informed you are of the risks, the better equipped you’ll be to avoid them.
Robust data processing strategies are critical
Under GDPR, data protection is split between two distinct tiers—the controller and processor. A business owner or manager who obtains the personal information from customers then decides how that data is utilized is the controller, and the employees who are responsible for executing a controller’s directives are the processors. In order to prevent any misuse of data, you need robust protocols to check the balance of power.
For this reason, more companies are hiring data protection officers (DPO) to serve as the main point-of-contact for all data processing activities. In addition to providing accountability for the controller, a DPO can educate all team members on GDPR compliance and make sure those parameters are followed across the board.
Compliance with data privacy regulations is the main factor in gaining consumer trust—or compensating for a loss of trust, as in the case with Facebook’s recent Cambridge Analytica scandal. GDPR will require that any use of personal data hinges on the precise, unambiguous consent at the risk of immense non-compliance fines.
So moving forward, Facebook and other corporations will be subject to rigid protocol intended to avoid situations like Cambridge Analytica. GDPR puts the right to provide or withhold, share or delete back in the hands of the people.