With the EU General Data Protect Regulation (GDPR) in its final stages, slated now for a 2018 implementation, organizations have the opportunity to get ahead of the requirements, and become more secure in the process. The ICO, recognizing the upcoming GDPR and additionally the EU Data Protection Directive (NIS Directive), has put together a “data dozen” set of reforms that organizations can implement:
- Increase awareness of the upcoming changes for key executives and decision makers
- Document what data you hold, where it came from, and who it’s shared with
- Review privacy notices
- Review procedures around data storage and individuals’ rights to delete / view it
- Have a procedure in place for individual access requests
- Identify your legal basis for processing personal data
- Review how you are seeking, obtaining and recording consent
- Review how you verify individuals’ ages
- Have “the right” procedures in place to detect, report and investigate a breach
- Know how to implement Privacy Impact Assessments (PIAs) and adopt a privacy by design approach
- Designate a Data Protection Officer
- Understand your international requirements (which supervisory authority would take the lead)
A study by Code 42 recently suggested that 18% of organizations are waiting for the GDPR to be finalized before implementing any changes to their data protection and security posture, which is a dangerous position to take. While organizations play the “wait and see” game waiting for regulations to force preparedness, the threat landscape continues to shift, with new technologies, employee behaviours and attacks introducing even greater risks to organizations.
We can understand that organizations do not want to waste time or resources on implementing costly data protections, without greater insight. Regulations often lack specific technical requirements because each organization faces a unique risk assessment. What will be required, as noted in the ICO list, is that you have firm documentation proving you understand what data you have and that you have a way to know if that data is breached. At Absolute, we help provide that visibility into the endpoint, where a growing proportion of data now lives, with automated alerts if data may be at risk and remote capabilities to lock down or delete device, all documented to help prove compliance.
The time is now to make data security a priority. With the EU GDPR and the new NIS Directive looming, organizations in the UK can get the head start on data security before it’s required. Why? Because avoiding unnecessary and costly data breaches is just a good idea. Knowing what may be required is helpful in directing your efforts as a baseline standard, so we encourage you to take steps to Compliance Sea Change: How to Best Comply with the New EU Data Protection Regime.
From proactive monitoring and reporting, to detection and response procedures, deploying a layered approach to security that extends beyond “good enough” protection is the most effective strategy to keep sensitive information private and ultimately avoid legal and financial recourse. Learn more about how Absolute can provide the adaptive endpoint security your organization needs to always stay in control of devices and the data they contain.