The list of things that will change when Brexit comes into effect is almost immeasurable. What will remain the same, however, is the impact of the General Data Protection Regulation (GDPR) ruling on data regulations in the UK. Despite Brexit, GDPR will still have a seismic impact on businesses who use and store EU data. The ICO (Information Commissioners Office) has confirmed that its strategy presumes GDPR will be assumed into UK law before the exit to ensure there is certainty about UK law afterwards.
GDPR & Data Management
GDPR will come into effect on 25th May 2018. The regulation is an attempt to unify the existing legislation put in place by individual EU member states. It is designed to protect the personal data of EU citizens, and covers any data that could feasibly be used to identify an individual. This could include medical records, genetic information or economic information - all of these aspects could come into play in the event of a data breach.
Controller & Processor
GDPR puts the responsibility for a breach quite rightly on both, the data 'processor' and the data 'controller'. The 'controller' is the owner of the data, who collects, stores and uses that information. The 'processor' is a third party who may not consume the data, but is involved in the data processing; not necessarily responsible for whether you should be consuming the data. Interestingly, a company may have a dual role as a processor and a controller, if for example they store employee data, and provide services which require customer data. These roles must be fully understood, as they are often interchangeable. It's hard to find a scenario where an organisation isn't at least a controller, think HR records.
How to Protect Your Data: Think Like a Hacker and Understand Your Network
To protect from hackers, you need to think like one. Firstly, think about where your data is collected, processed and stored. This will allow you to identify vulnerable areas along the data's journey. Secondly, think about the nature of the data. Is it something likely to be attractive to a prospective hacker? This should define the level of protection the data is given. Understanding your network is also crucial; where your data is hosted - is it cloud environment, or internal infrastructure, and who is responsible in each scenario? Establishing a process for responding to unusual behaviour on your network is also critical.
How to Protect Against a Breach?
One of the biggest issues seen in the security industry over the years is organisations' inability to detect threats early or detect them at all, before a third party does. It is here that Security-as-a-Service providers can help, with huge pools of data to draw experience and intelligence from, and designated threat detection and analyst teams working to assess potential incidents. Knowledge and expertise coupled with powerful technology and innovations in detecting threats help to stop attackers before they get a foothold. Important is also the ability to gain immediate knowledge of attacks in the circumstance of a breach and readiness to assist in an incident response plan and providing evidence to support audit & compliance.
How many businesses have their own 'threat intelligence' team that understands the anatomy of attacks, and thus configure and tune the security infrastructure to detect these threats? The reality is that very few have this capability in-house.
Increasingly, therefore, many organisations work with Managed Security Service Providers (MSSPs) to take this 'burden' away from them: investment in external service providers that have a strong pedigree in threat intelligence, security research and vulnerability management, ensures they can remain one step ahead of even the most advanced threats.
GDPR & its Consequences
The ICO is responsible for imposing fines in the UK, and the current limit is £500,000, under the 1998 Data Protection Act. Once GDPR is officially introduced, fines could soar up to 4% of a company's total annual profit, or a terrifying 20 million Euros.
The requirement to inform the relevant parties of a breach within 72 hours means adequate & timely threat detection is necessary for compliance. Breaches are often not discovered until weeks or months later, therefore the strict GDPR guidelines will likely cause problems. Furthermore, the challenge is not only establishing that a breach has happened, but understanding who was affected from your data sets, and how severe the impact is.
Will you be ready?
Complying with GDPR is not simple. It will require detailed planning and collaboration with all the businesses in your chain, as well as a pragmatic, solutions-based approach to breach detection. The age of hoping that breaches don't happen is beyond us; to comply, you need to ensure your security measures are up to scratch or face the consequences of non-compliance.