Regulators are the catalyst for stronger measures in cyber security, and new regulation from the EU is going to have a serious impact on organizations that process EU citizen data. After four years of diligence and debate, The EU Parliament approved the Global Data Protection Regulation (GDPR) on April 14, 2016. It will enter into effect on May 25, 2018, at which time those organizations in non-compliance will face heavy fines.
“GDPR is a revolutionary regulation, brought in to replace the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy, bringing cyber into the boardroom,” according to Ariel Evans, CEO of InnoSec a GDPR expert.
The key articles of the GDPR, as well as information on its business impact are of high interest to boards and senior executives. Under GDPR, organizations could suffer from hefty fines of up to 4% of annual global turnover or €20 Million, whichever is greater, in case of a breach.
Such a fine could be enforced for serious infringement such as not ensuring the security of the systems that process EU citizen data and lack of risk assessments. Member states can also add to these fines. The Netherlands, for instance, has more than doubled its own fining capacity to 10% of annual revenues.
The idea is to make organizations proactive about their security at a boardroom level and prevent data breaches of EU nationals from occurring.
“Alignment with these requirements can reduce the chances of triggering a Data Protection Authority (DPA) to investigate a company’s privacy practices,” notes Evans. European privacy advocates are pressuring DPAs to fully exercise these new powers after May 2018. To manage this risk, multinationals should have a means to demonstrate alignment with the GDPR requirements and communication of this program with DPAs that have jurisdiction over their major European operations.
“GDPR compliance also helps to mitigate their other business cybersecurity risks,” explains Evans. “There are many, many similarities between GDPR and other global regulations relating to data protection and privacy. The impact however is greater and its scope is extensive.”
The regulation applies if the organization or data processor is processing EU citizen data. This includes organizations based outside the European Union if they process personal data of EU residents, expanding the scope to all global organizations regardless if they’re based in Europe or abroad.
Says Evans, “GDPR consists of about 100 different articles, including the need to conduct a Privacy Impact Assessment (PIA), protect customer data, as in applications need to be secured by default and by design, and requires system risk assessments, as well as articles related to the rights of customers, for example, to ‘be forgotten,’ and 72-hour breach notification notice.
“Preparing for the GDPR and complying with its obligations once it enters into force will require significant resources and commitment from companies. Automating as much of the requirements will reduce costs and resource requirements.”
On top of that, less than 20% of organizations are ready for GDPR: “Setting up an adequate structure and determining responsibilities will be an essential first step,” explains Evans.
She continues, “On the operational level, a PIA is needed to assess your current security controls to determine the effectiveness of the confidentiality and integrity of your systems. Based on these findings, a risk assessment will determine where to focus your cyber security control needs.”
GDPR will change the way organizations move from check box compliance to proactive security programs with board involvement. Since regulator can request information at any time, not having it is an immediate breach of the regulations. Additionally, GDPR impacts the supply chain and compliance requests from other organizations will become a prerequisite to do business with the EU.
After the GDPR is in full effect, only time will tell the effectiveness of this regulation and its impact on consumer security.
Ariel Evans is an American Israeli cybersecurity expert, entrepreneur and business developer. She recently took the helm of the Israeli cyber risk management company InnoSec which provides enterprises, cyber insurers and M&A teams quantification of their cyber risk. Additionally, she consults for over 30 Israeli companies and is the go-to person in Israel that connects cyber startup companies to funding and business development opportunities.
An entrepreneur while in the US, she raised over $200 million from private equity and venture capital firms and has two successful exits under her belt. Evans was also the Chief Information Security Officer for a major telco in the United States. She is recognized as a leader on Wall Street in Risk and Compliance having held positions at The McGraw-Hill Company, XL Capital, JPMorgan Chase and Merrill Lynch, as well as Lockheed Martin.
Her insight into regulation, governance and business inter-connectivity technology allowed her to provide expert guidance to the Department of Homeland Security, The Payment Card Industry and other governing bodies that are accountable for reducing risk and understanding its implications with complex technologies.
Evans will be panelist for Cyber Insurance: State of the Market for Cyber Claims and Underwriting
and a discussant for The Vendor Vector: Practical Strategies for Due Diligence and Risk Management at the Global Cyber Security Summit in London, UK on October 12-13.