Dr Jamie Graves, CEO at cyber security specialists ZoneFox
From MiFID through to the Basel Accords and multiple other Capital Requirements, the finance sector has grown used to unpicking complex EU regulation. However, the European General Data Protection Regulation (GDPR) is a different type of beast because it impacts every nook and cranny of your business. Even ones you weren’t aware existed.
Why? Simple: data has taken root in your organisation. You need it in order to retain customers, deliver innovative new products to the market and execute a fantastic customer service experience. Especially as customers now bank across multiple applications and devices. The hard truth is that without data you simply can’t function, certainly not meaningfully. But how that data is managed and protected currently varies wildly, something the GDPR looks to rectify by standardising how data is protected and accessed across the EU.
It’s a highly ambitious piece of regulation and the triggering of Article 50 shouldn’t lure companies into complacency – if you want to do business in the global economy and deliver data across borders, you will need to comply. The regulation brings with it big changes and so, if you haven’t already, it’s important to get your ducks in a row. The question is, how can you prepare?
For me, the regulation broadly falls into three distinct action areas that offer the opportunity to enhance information security from a technical, governance and legal perspective: proactivity, ensuring GDPR is a board level priority and risk mitigation.
When it comes to security, being on the front foot is absolutely key. Most companies don’t know how and where all its data is processed or stored across the organisation, or whether it is accessed always in line with company policy. Auditing this process is the ideal place to start – after all, as the saying goes, knowledge is power. From this audit you will be able to get a much better understanding of:
- What measures you have in place to protect data, especially personally identifiable information. Ensure you perform vulnerability assessments and penetration tests to determine if unauthorised access and downloading are possible. This is a great exercise and also offers the opportunity to test your data encryption standards
- The relationship your organisation has with third-parties. Who do you share data with? And how do third-parties collect data from your business? Longer term, you will need to ensure that your data supply chain is GDPR compliant – the onus is very much on you to take responsibility for this
- Have your legal and compliance teams go over end-user agreements to ensure that all data subjects have willingly agreed
- Ensure that how you tell people you use their data is actually how you use it. An outside opinion can help here, so don’t be afraid to engage an expert to advise
- Does your current data storage solution have any risks associated with it? If so, create a risk registry so that you can tackle these
Ensuring GDPR is a priority
Being proactive will help you to understand the unique risks and vulnerabilities your organisation faces – in relation to complying with GDPR. This understanding forms the basis of a robust strategy to be presented to company directors. The exec board hears about so many internal projects, all of which are competing for internal resources and funding, so it’s important to present the right information in order to secure the resources you need:
- Any discrepancies between end-user agreements and GDPR requirements as well as a clear roadmap for how to reconcile the two
- Create risk-based metrics based on vulnerability assessments and penetration tests to outline any weaknesses in your data defences. Don’t forget, the board will be looking to you to bring solutions as well as problems to the table
- Be clear about any deviations from GDPR and present a strategy encompassing technical, legal and compliance requirements with a timeline for ensuring compliance by May 2018 alongside associated risks of the data registry
The road to successful GDPR compliance will require the strong mitigation of risks. This is an important step because arguably data is the most valuable artefact on the internet and as a result the most traceable. We’ve all seen the headlines resulting from data breaches; companies that are victim to attack suffer brand damage, lose customers and as a result see a real impact on their bottom line. With GDPR the onus on companies to take responsibility increases dramatically. Therefore, it is imperative that you:
- Classify your data as this is vital to preventing data loss
- Continuously monitor the environment to ensure your data stays exactly where it is supposed to and doesn’t walk unauthorised out of the front door
- Encrypt your databases. This might seem like an obvious point, but not all companies are following this basic rule. Apply strong algorithms so that even if the bad guys steal your data you render it useless to them
GDPR might feel all consuming, but broken down into these three key areas it becomes much more manageable. It is also a significant opportunity to redefine your relationship with your increasingly data-savvy customers and create a new era in which data is shown the respect and protection it deserves.
The opportunity is there to become a real industry leader in data security– those that seize it will prosper those that don’t risk being consigned to history.