The GDPR deadline is fast approaching, but most businesses are ill-prepared and need to re-evaluate their technology stack if they are to avoid non-compliance and costly fines.
The GDPR comes into full effect on 25 May 2018, but most businesses are not prepared for it, and need to raise their game if they want to avoid non-compliance and costly fines, argues enterprise technology expert Sudeep Venkatesh, global head of pre-sales at Micro Focus.
Of the many global enterprises he speaks to each week, including financial services, retailers, telcos and healthcare organisations, the majority of them are processing huge amounts of personal data.
In terms of how prepared enterprise CISOs are for GDPR, Venkatesh puts them into three categories, with the first one accounting for the majority of global organisations.
“The first group is aware of the GDPR, and have possibly set up a privacy office or hired a data protection officer (DPO). They may be sifting through their legal requirements, or have obtained a basic budget to do so.” Around 90 percent of global organisations are in this category, “still figuring things out,” he says.
The second category, which accounts the around five percent of organisations is much further down the road. These companies are assessing what technologies they have in-house, and what technologies they need to help them become GDPR compliant, says Venkatesh. Some larger organisations have already invested in a dedicated DPO, or even multiple officers and are actively evaluating their legal obligations.
The third category is organisations that can claim they are GDPR compliant across all their platform, but this is a very small percentage.
“On balance, most enterprises find themselves lacking, especially in identifying the technology solutions they need. Setting up policies and hiring lawyers will only get you so far,” comments Venkatesh.
He adds that, for many organisations, while there is a degree of awareness among CISOs and information security teams that they need to comply with the regulations that are coming, they have not taken an inventory or worked out which GDPR requirements will apply to them.
Punitive GDPR fines ahead
One factor that will compel many enterprises to move towards GDPR compliance is the threat of a fine for non-compliance: with potential charges being as much as the greater of €20 million or 4 percent of global annual turnover for a corporate group.
Venkatesh says Micro Focus believes the industry will see regulators handing out significant data breach fines, rather than just using them as a threat. “We absolutely think that regulators will enforce the regulations very early on, and in fact, UK-based regulators say there will be no leeway given in terms of GDPR adherence.”
But he adds that the monetary aspect is simply one of many negative consequences as a result of non-compliance: the negative publicity and reputational damage that an enterprise could experience is equally significant - both from suffering a data breach or other GDPR non-compliance and being seen to be fined for either.
“We strongly feel that, as the GDPR deadline comes closer, and as consumer awareness increases, compliance is going to be good for the company’s brand, and something they can market to their customers,” says Venkatesh.
Citizens are not currently aware of the data privacy changes that are coming, especially around data portability, data deletion and the ‘right to be forgotten’, says Venkatesh. Be he understands that the regulators will start to advertise in the mass media to educate people about the GDPR and the data privacy rights of EU consumers. “I think we all need to do a better job of educating people about what their rights are.”
The right technology stack
The key to being ready for the new data privacy is to have the right technology in place, says Venkatesh.
“Many of the GDPR requirements will have companies looking to use technology to help their compliance, such as data encryption, data storage, classification management and archiving, but businesses have been slack in picking, deploying and operating these.”
Venkatesh adds: “We have been offering encryption and pseudonymisation for ten years now. For example, one of our large global telco customers uses our encryption for 550 of their applications. In addition, eight out of ten payment processors are using Micro Focus’ encryption technology to successfully encrypt data in a vast number of systems.”
One concept Micro Focus tries to educate customers on is that not all encryption is the same. Encryption deployed at the network level for sending data may only provide protection for someone sniffing the line or tunnel, for example. Storage-level encryption can add additional protection, but again, it should be strengthened with field-level encryption of sensitive personal data to protect specific data fields such as names, addresses, email addresses, phone numbers, GPS location information, payment information and buying patterns.
“Several organisations are already deploying this, and it will help them to effectively prevent attacks on their data,” says Venkatesh.
Ultimately, everybody in the business is responsible for protecting information, says Venkatesh, from the executives down.
“One common theme that is emerging from GDPR-ready organisations is that they’ve obtained high-level buy-in from the board when it comes to protection. A good test is if a C-level executive can explain in one simple sentence about why their organisation should be protecting data and what it means to them.”
Other indications of a GDPR-ready organisation are that their security and application teams are working closely together, and collaborating with the company’s privacy officers. Venkatesh comments, “There is typically a tug-of-war between security teams who are familiar with encryption and pseudonymisation, and large applications teams who are more interested in getting new features out for their applications, so they can drive revenues. What will help is a mandate from board-level to ensure they are on the same page: they have to work together to protect the customer.”
Finally, for enterprises that feel unprepared for the GDPR, Venkatesh advises: “CISOs and all security professionals need to get more educated on the GDPR. You should investigate application security products, such as security incident management, encryption and pseudonymisation; and a good investment of time is to go through your existing technology stack and work out what you need.”