How the GDPR affects you, even if you think it doesn’t

You’ve probably heard about the GDPR, but have you taken action in time for the 25 May enforcement date? Here’s my quickstart guide to compliance for Australian businesses.

While the General Data Protection Regulations (GDPR) shares a lot of common elements with the Australian Privacy Act 1988, there is a more stringent focus on the rights of individuals. Combined with Australia’s Mandatory Notifiable Data Breach (NDB) scheme, local businesses have been forced to evaluate and take action on their cybersecurity risk assessments, or face crippling fines and the potential loss of consumer confidence.

“While the fines are significant, a top hidden cost to a company being in breach is reputational damage - for example, the share price of Equifax dropped by 40 percent in the two weeks after their breach notification,” notes Felix Martin, security strategist at HPE Pointnext's Global Security Center of Excellence.

Getting started may be the greatest challenge for many organisations, as determining what falls within these regulations can be a complex task.  I’ve put together a strategic approach to the new regulations that you can use as a guide to get started.

1.  Know your data inside and out

Put simply, you can't verify GDPR compliance if you’re not aware of what data is being collected, where it’s being stored, what it’s being used for, and who has access to it.

Here’s a common example. If your website collects data from people all over the world, do you know where your web host backs up your data? It’s common for shared hosting to use a data centre outside of the country you’re located in.  If this is the case with your business, you could be in breach of the GDPR already.

“Many firms don’t know what data they have, why they have it, or whether it should be regarded as personal data,” says Duncan Brown, associate vice president for European infrastructure and security at IDC.

There are some great tools that will help you identify your personal data, and many of these will also help you to encrypt, protect and/or secure the data. The HPE GDPR Starter Kit is my pick for the best tool available, and I also recommend you undertake an information audit with a professional provider like MSS IT.

2. The cloud is still your responsibility

Cloud computing represents a challenge for GDPR compliance, especially for companies that operate across multiple locations. Cloud solutions exist in all disciplines, from accounting to marketing and beyond, and compliance needs to be a team approach. For example:

• Does your sales and marketing team use a cloud-based CRM system to store your customer data? Have you read up on their privacy by design approach?
• Has your IT department created and provisioned virtual machines in the cloud? If so, do you know where they actually are? Do you need parallel systems, one in the EU and one outside?

These are just two of hundreds of examples of how the cloud can be affected by GDPR. The cloud itself isn’t dangerous - but when it comes to GDPR, make sure your cloud services are compliant with your requirements.

3. Investing in security could save you millions

Cybersecurity is an essential investment to protect personal data and comply with the GDPR.

The vast majority of requirements for GDPR and the Australian Privacy Act 1988 centre around data management, namely data collecting and processing.  While there are obligations to provide appropriate notice when you’re collecting personal data, this shouldn’t overshadow the fact that data security is also vital for complying with the GDPR.

Here are the key elements in any cybersecurity platform 

• Give complete visibility into all traffic. You can’t stop or protect against what you can’t see.
• Reduces the attack surface. The more applications and devices in your organisation, the more ways a threat can penetrate.
• Prevents known threats, such as information-stealing Trojans, malware and application exploits.
• Prevents unknown threats, by proactively identifying and blocking unknown malware and exploits, which are often used in sophisticated and targeted attacks.

Overall, my top choices for data protection and cybersecurity are Palo Alto Networks, Sophos and Tenable, but every organisation has different requirements.  Make sure you are guided by an expert to choose the right platform for you.

4. Develop your data breach management policy

The GDPR gives organisations a 72-hour window to not only detect but disclose a breach to regulators.  The Australian NDB is a little more merciful, requiring that the assessment be carried out in a "reasonable and expeditious" timeframe.

A data breach response plan empowers an organisation to rapidly take action in the event of a data breach, and can:

• substantially decrease the impact of a breach on affected individuals
• limit the financial and reputational consequences of a data breach
• help you meet your obligations under the Privacy Act

Cyber threats are evolving every day, and even the most secure organisation can be affected by a data breach, be it internal or external, deliberate or accidental, by a human or technology.

So, where to start??

A major tool in our arsenal is the Hewlett Packard Enterprise (HPE) GDPR Starter Kit, which we use to help you conduct a Personal Data Assessment and optionally encrypt your data. The kit covers classification, governance, and data security products to deliver a number of important benefits.

• Automated assessment of your data
• Quickly and cost effectively enables GDPR-responsive data to be encrypted
• Proactively detects and responds to any cyber-threats
• Adaptive backup and recovery solution that’s designed to work in accordance with GDPR

And remember, even if the GDPR doesn’t directly apply to you, your organisation should make this the time to actively review the policies and procedures related to your business data.

For help with undertaking this review, please contact me on hmellor@mssit.com.au or 1300 MSS4IT (677448).