This is the first in a four-part series of posts about the EU’s General Data Protection Regulation and how it will force European businesses to develop their incident detection and handling processes.
If you run your business in Europe, you still have some time before the EU’s General Data Protection Regulation enters into force on 25 May 2018. I hope your preparations for the new requirements are already well underway!
One feature of GDPR that needs to be specifically highlighted is the mandatory breach notification. It may be the most misunderstood portion of the new regulation. Having worked in a regulated sector and part of the breach notification scheme for fifteen years, I’d like to dispel some myths about the regulation.
One of the aims for breach notification laws such as GDPR is to push companies to step up their ability to detect breaches and to mitigate the negative impacts effectively. The foremost thought in the lawmaker’s mind is not to punish the companies who themselves have been victims of a crime, but to make them better equipped to deal with the very likely eventuality that there will be a breach some day.
Remember how it was in school? The exams were not there to make you look bad but rather to push you to study. The lawmaker’s intention with GDPR is to help you respond better in the event of breach. Provided, of course, that you have done your homework.
The GDPR introduces a requirement to notify your customers and users and authorities about personal data breaches. But you’d be mistaken to think that breaches to privacy-related data will be interpreted in a narrow sense.
The regulation requires you to disclose not only how personal data was affected, but also information that will help the authorities assess what made the breach possible. They will also want to know the corrective actions you’ve taken and plan to take, how you (or someone else!) detected the breach, how long it took to detect, and how you assess its damage. They’ll want you to speculate on how you and your customers will be affected by the residual risks. This information will enable people outside your company to form a more complete picture of your ability to protect any aspect of your business.
If there’s dirty laundry in your information security posture, it will soon be apparent. Was the personal data you handle acquired lawfully? (Pro tip: get familiar with how to acquire a valid user consent). Were your cybersecurity protections adequate given the threat? There will also be questions about your network and information security, hiring procedures, physical security and your ability and willingness to honor your commitments beyond user privacy, such as SLAs and corporate secrets.
Regulators know that no law will miraculously put an end to criminal activity. Neither will the GDPR incentivize all companies to turn into cybersecurity leaders. Rather, the GDPR aims to raise the minimum level of security and privacy protections across the board. And while minimum protections will help address accidental leaks and prevent each mishap from escalating into full-blown chaos, they will do little to stymie criminals.
Make no mistake, your adversaries will continue to attempt to breach your business. They’ll know you have made some minimal enhancements in predictable places in a less-than-enthusiastic manner. So if you have to comply with security-enhancing regulation, why not comply with style?
This is your moment to make good cybersecurity posture a differentiator in your business. Take pride in making your organization stand out from the crowd. When customers compare service providers and want proof of a company’s ability to deliver GDPR compatibility, you’ll rise above the rest. Exceeding the minimum expectations can also be seen as a business continuity asset that not only lowers the cost of cyber insurance, but saves a pretty penny when you need to activate your incident handling plan.