GDPR – a hindrance, or just the right kick in the a** every business needs?

The new GDPR framework – designed to unify data protection for individuals within the European Union (EU) – is viewed by many as just another form of regulated compliance being forced down their throats by government. However, if you take a minute to look beyond the headlines, there might just be a silver lining.

boardroom presentation
Thinkstock

Some businesses will undoubtedly see the General Data Protection Regulation (GDPR) as just another form of regulated compliance being forced down their throats by government.

If you take a minute to look beyond the headlines, however, these new rules due to be enforced on those handling sensitive personal data, might just be the exact push needed to ensure sensitive issues, which have previously been dangerously ignored, are brought to the boardroom.

C-level executives in organizations across the globe are soon going to be forced to give careful consideration to the security culture within their business, a subject that has a growing level of significance every day for multinational enterprises.

Cyber risk is still a misunderstood concept for many senior executives, even as large businesses continue to consistently suffer breaches, hemorrhage data and pay the price for it.

It’s not all bad

If organizations can prove that they did put preventative measures in place then a fine can be avoided or reduced – in the event of a breach – based on the fact that the organization had met guidelines.

An example of this is encryption within a network and on connected devices. Businesses that make an effort to ensure that data breaches only leak unreliable data will be looked upon favorably under the new regulations. As long as steps have been taken to encrypt sensitive files, fines can be reduced. The GDPR approach may just be to shame executives into finally paying closer attention and taking the steps to properly secure their companies. While this might not be a perfect solution, it does demand action which is long overdue.

All businesses (or more accurately, people) lose devices and while the cost of the hardware isn’t negligible, the cost of the data on these devices is about to skyrocket. In the past decade, we’ve already seen record fines for data breaches. In 2016, UK telecoms firm, TalkTalk was fined over $500,000 (£400,000) for personal data of more than 150,000 of its customers, exposed as a result of a 2015 cyber attack In 2015, the Financial Industry Regulatory Authority fined Sterne Agee & Leach, Inc. $225,000 when an employee lost a laptop in a restroom. The reason for such a high fine? The laptop was filled with unencrypted financial data. Since most computers and smartphones already provide built-in encryption technology, it’s a no-brainer to adopt sensible practices.

Proving that you were compliant with the new rules will not only save face, encryption can literally save a company's reputation in the case of lost data. Under the new regulations, businesses will not even be required to (however, they should) alert those whose data they have just lost, as long as said data has been made unintelligible to rogue actors. Taking steps like these can only help businesses in the long run both from a credibility and sustainability perspective.

While small organizations shouldn’t take too much of a hit, large corporations will need to adjust how data is collected so more metadata can be made available down the line. These adjustments will very likely lead to improved data sets, making data not only complient but more easily accessible and searchable.

You need to act fast

With steep penalties on the horizon, there is a need to take action today. At a minimum, business will need to go through: evaluation cycles, management buy in, design and implementation, and company-wide adoption. Although official deadlines are 2018, in the world of security, this is a short window for many to actually bring meaningful change to long-held processes.

Although governance rules vary across borders, we recommend businesses opt to adhere to the most restrictive country’s approach in order to ensure consistency and continuity across an organization, and frankly to make implementation and management easier. An emerging trend is the addition of a DPO (Data Protection Officer) to help oversee this consistency and hold the line on compliance and governance, which, let me say again, is a requirement, no longer an option.

With rumors of stricter regulations swirling, the GDPR will be a guiding beacon and hopefully, the introduction of the data protection roles within business will usher in a new data era, one that is responsible and fair to users and that leads to smarter, more secure, companies.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart