The General Data Protection Regulation (GDPR) is a set of new regulatory rules that have been passed and adopted by the European Parliament. These rules come into effect on May 25, 2018. The objective of these regulations is to strengthen and standardize the protection of personal data within the European Union (EU). It also controls the export of personal data outside the EU. Companies will need the same level of protection for data such as an individual’s IP address or cookie data as they currently do for name, address, and Social Security number. The GDPR replaces the EU’s Data Protection Directive, which went into effect in 1995.
If you’re running an international business operating in Europe and the business has computer systems that collect and store data, the GDPR will affect you. The short story is: Prepare to be regulated.
Make a list and check it twice
To comply with GDPR rules, you’ll need to start with an up to date list of software applications that run in your business. According to Matt Fisher, IT thought leader and senior vice president at Snow Software, more than 39,000 applications are known to hold personal data.
While list making might seem to be a straight forward task, preparing a list of currently used applications can quickly become a challenge. Imagine that you have 50, 100, or more servers or Virtual Machines. How do you know which applications are running on each server? Often, run books are out of date, install scripts are missing, some applications are no longer used but have not been uninstalled, and new applications are added over time. Fisher says, “As IT teams lose sight of the applications in use across the organization, they lack overarching visibility into the applications that could threaten GDPR compliance.”
Application monitoring can reveal, without undue effort on your part, which applications are still used on a server and which users are using them.
Close security exposures by modernizing
Across the globe, significant malware exposures occurred in 2017 and 2018. The risk of critical data breaches caused by running unsupported systems was exposed by the widespread ransomware impacts of WannaCry and NotPetya, as well as the legacy hardware exploits of Specter and Meltdown. Every day we hear about yet another cyber attack, which usually compromises massive amounts of user data.
GDPR is intended to make international businesses liable for data breaches and to better protect user data in corporate systems. GDPR rules are likely to end the businesses habit of continuing to run systems on out-of-date, unsupported legacy systems. IT auditors won’t be turning a blind eye to operational systems that still depend on an unsupported OS like WS2003 or the soon to end WS2008.
Once GDPR comes into effect in May 25, 2018, companies will have to assume the risk for a data breach if systems are not updated and modernized. Paying punitive damages will reach all the way to company boards. GDPR fines can be as high as 4% of a company’s global annual turnover or 20 million Euros, whichever comes first. Management consulting firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year.
According to the RSA Data Privacy & Security Report, for which RSA surveyed 7,500 consumers in France, Germany, Italy, the UK, and the US, consumers will not easily forgive a company once a breach exposing their personal data occurs. Seventy-two percent of US respondents said they would boycott a company that appeared to disregard the protection of their data. Fifty percent of all respondents said they would be more likely to shop at a company that could prove it takes data protection seriously. “In short, consumer expectations of privacy and the accompanying regulations are translating business risk into cyber risk across the globe.”
“As businesses continue their digital transformations, making greater use of digital assets, services, and big data, they must also be accountable for monitoring and protecting that data on a daily basis,” concluded the report.
A PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority. Estimates vary, but perhaps half of the U.S. companies that should be compliant will not be on all requirements. According to a survey by Solix Technologies released in December 2017, 22 percent of companies were still unaware that they must comply with GDPR. Thirty-eight percent said that the personal data they process is not protected from misuse and unauthorized access at every stage of its life cycle. The PwC survey concludes, “American multinationals that have not taken significant steps to prepare for GDPR are already behind their peers. The typical large US corporation is currently moving through a data-discovery and assessment phase toward a multi-million-dollar remediation initiative...”
The cost of procrastination is high. The time to modernize systems is now. As the RSA report says, “organizations need to know where data resides, who has access to it, and how it's being secured to understand the risk it brings to their business.”
Rules, rules and more rules
GDRP rule compliance should be viewed as a journey and not an end state for legacy systems. The lifecycle of existing legacy systems that are ported to a secure, supported operating system can be extended by making modifications to address GDRP requirements. Some of the many system enhancements that may be needed include:
- Tracking and monitoring the retention time for personal data
- Transparency and publication of the contact information for an organization’s data controller and data protection officer
- Explicit consent for data collection and the purposes for which data is used
- A process that transforms, anonymizes, obfuscates, or encrypts personal data so that the resulting data cannot be attributed to a specific data subject without the use of additional information, such as a decryption key
- The ability and right to access personal data and information about how this personal data is processed
- The ability and right to request erasure of personal data
- The ability to transfer personal data from one electronic processing system to another
- Records of processing activities, including the purposes of the processing, categories involved, and time limits retention
The new GDPR rules likely involve significant ongoing changes to existing systems.
If you need help with making your application list, closing security exposures inherent in unsupported systems, or finding a path to extend the life of legacy systems, give us a call, register for a free demo, or send us an e-mail. We're always delighted to show you what we can do.