The strict European Union, General Data Protection Regulation (GDPR) will go into effect on May 25, 2018 and organizations across the globe need to be prepared or face some of the strictest fines yet. This new law will protect EU citizens’ data privacy, enforcing auditing and security on any items that could possibly identify a “data subject” such as, name, photo, email address, bank details, social media post, medical information, computer IP address, and more. While the law only protects EU citizens, it affects organizations in all countries that have contact with any EU citizens. No matter your location, if someone in your organization accesses and stores identifiable data (in an attempt to sell something) of a “subject” 16 years of age and older, who is an EU citizen, your organization must comply with the GDPR.

GDPR PENALTIES

The GDPR will be replacing the similar Data Protection Directive that was established in 1995 to protect the processing of personal data in the European Union but the severity of the GDPR will now affect countries outside of the EU; and companies need to take precautionary action to avoid significant fines amounting to four percent annual revenue or €20 million (whichever is greater) for noncompliance. For lower penalties, the fine is set at two percent revenue or €10 million. To smaller companies this fine could be detrimental. Organizations can’t afford to keep the mindset that they won’t be affected by the GDPR, and with this new regulation, companies must now notify a “supervisory authority competent” no later than 72 hours after having become aware of a potential personal data breach. The term breach being loosely defined in the law as “accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.” Considering the average time to identify and contain a breach in 2017 was 191 days[1], 72 hours seems like a split second in InfoSec.

 

 

REINFORCE YOUR ENDPOINT SECURITY

Organizations everywhere must ensure that their network security, mobile devices, and employees have the best protection and training possible to avoid the financial wrath of the GDPR. While the new law will be holding organizations accountable for keeping citizens’ data safe, the EU may struggle with mobile device protection because of its strict laws on what organizations can monitor of its employees. Unlike in the U.S. where employees have fewer rights when it comes to data management in the workplace, EU laws often provide employees with a high level of protection from enterprise intervention of employees’ personal data across the employer’s BYOD policies. Employers in the EU are more restricted in how and what they can monitor of employees’ electronic history and communications and what the employer can do with that information. Adding device management tools that track an employee’s device activity to an employee’s phone in the EU is not the answer. Organizations should look to containerized tools like SyncDog’s Secure.Systems™ for securing enterprise data without intruding on personal data.

HAVE A PLAN IN PLACE NOW 

In the coming months, organizations need to implement the best security incident response plans if they have any contact with EU citizens in a sales or marketing capacity, wherever they reside, to be prepared for any sort of data beach scenarios that may occur. Let’s say your organization is US-based and an employee has the email address of a German-based prospect that is managed in your CRM system, and your company gets breached. You would be subject to GDPR compliance that could result in fines up to four percent of your company’s annual revenue if the breach is part of ongoing noncompliance. This regulation from the EU will bring significant changes in how businesses across the globe market, secure information, and communicate with their respective markets. Considering the stakes involved, companies must have a plan in place for GDPR compliance now. In Europe especially, containerization can be a viable solution in BYOD settings. For more information on Secure.Systems™ from SyncDog, please visit https://secure.systems.

 

[1] https://securityintelligence.com/media/2017-ponemon-institute-cost-of-a-data-breach-study/