The time has come for GDPR, are you ready?
I’m sure you’ve heard it all by now that the General Data Protection Regulation (GDPR) will go live on 25 May 2018. It has stirred waves of confusion and concern not just within the European Union (EU), but also across Asia Pacific, where we’re seeing a ripple effect take place as more businesses are sitting up and taking notice.
And for a good reason. A data breach due to failure to comply with GDPR may cost businesses a hefty fine of up to four percent of annual global turnover or US$24.63 million—whichever is greater.
So what exactly is the GDPR? This new regulation looks to harmonize data privacy laws across Europe to protect the Personal Identifiable Information (PII) related to an EU individual, independent of where that data is stored in the world. A single EU-based customer with personal information in any business database will warrant the need for the organization to be GDPR compliant—even if you’re a small business! This means that the need to be GDPR-compliant by the stipulated deadline is not limited to EU-based businesses only. It will affect businesses globally.
While it seems like businesses in Asia Pacific are starting to pay more attention to the coming GDPR implementation, a recent study found that more than half of businesses in Japan, Singapore, and South Korea are among the least prepared for the upcoming data privacy laws[1]. What’s more alarming is that more than half (56 percent) of Singapore-based companies expressed concerns that they would not be able to meet the deadline for compliance.
What should businesses in Asia Pacific do?
The GDPR can prove to be daunting given how it will transform the way organizations across the world approach data privacy[2]. As such, we have identified key issues and steps for organizations to safeguard their customers’ data and be on the path toward GDPR compliance:
- Assessing risk of breach
While there is no single security product or solution that will guarantee a 100 percent breach-free future, prevention is always better than cure. A good first step towards being GDPR compliant and ensuring high standards of security is by conducting a thorough data audit on both and offline activities. Not only can you pinpoint EU individuals your business is offering goods and services to, it can also go a long way in identifying critical information that needs more attention than the rest. This can help your organization plan for sufficient funds and personnel to ensure the journey to compliance is complete.
- Appointing a Data Protection Officer (DPO)
Part of being GDPR compliant includes having a DPO to sit at the crossroads of business process, IT systems and security. The DPO needs to have a firm understanding of the GDPR regulations as he/she will be responsible for monitoring the compliance of the business, facilitating and reviewing data protection impacts and providing a central point of communication and mediation in the event of a data breach.
- Prioritizing an always-on security strategy
According to the GDPR, businesses are required to adhere to a strict and mandatory 72-hour personal data breach reporting rule. Subsequently, this should be followed up with a plan of containment and remediation with the hopes of avoiding significant penalties. However, recent advancements in security technology are empowering us to go further. For instance, continuous monitoring and advanced attack detection software enable businesses to assemble and communicate critical information about the breach in a short period of time.
With increasing mobile access, organizations need to ensure that proper access is maintained to tightly control who and what is authorized to access personal information. A reliable network access control (NAC) and policy management solution ensure discovery, role-based access to IT assets and closed-loop, policy-based attack response.
The WannaCry and Petya breaches that happened last year are an indication of how sophisticated attacks are now designed specifically to evade traditional security defenses. Businesses should introduce an additional level of monitoring that complements existing defenses, one that utilizes new types of attack detection such as machine learning to find small changes in behavior indicative of an attack.
As the network continues to grow exponentially, IT systems are running to keep up. GDPR is just the beginning of a bigger security concern that is never going to go away. More importantly, even without the implementation of the GDPR, every APAC business should aim to adhere to its guidelines for the safety of their customers’ and employee’s data.
[1] http://www.zdnet.com/article/singapore-japan-korea-among-least-prepared-for-new-eu-data-laws/
[2] https://www.eugdpr.org/