The clock is ticking
As digital business expands and consumers increase their online activities, protecting privacy and ensuring security is more important than ever. The EU General Data Protection Regulation (GDPR) becomes effective in May 2018, with new regulations to meet these challenges.
If you conduct business with EU customers, you’ll need to comply with new rules — no matter where you’re located. These changes will impact how you do business. If you haven’t developed a plan to deal with these changes, be sure to get ready now.
This Forrester Brief for Security and Risk Professionals describes these changes to the GDPR and identifies how to get started. Here are some highlights from the report that require your immediate attention:
- You need to hire a Data Protection Officer (DPO) and collaborate with the DPO if you engage in regular, systematic collection or storage of sensitive customer data. Estimates indicate this will require almost 30,000 privacy officers globally.1
- The biggest game changer is a data breach notification requirement to inform customers and authorities within 72 hours of a data breach.
- Implement privacy by design, which is a big challenge. Solutions that ensure compliance can help address this requirement. Privacy must be baked into new projects with security controls throughout all of the development phases.
- The reach of GDPR makes it a global mandate. Non-EU organizations that provide goods or services to EU residents or monitor their behavior — or collect and re-sell this information to other business partners — must comply with GDPR requirements.
- You must provide evidence of risk mitigation documentation, possibly including a privacy impact assessment (PIA). Demonstrating strong governance over access and change controls can help.
Here’s a closer look into some of the key areas impacted by the new requirements:
Avoid the notification requirement by preventing data breaches in the first place
As the old adage goes, “an ounce of prevention is worth a pound of cure.” Businesses will need to quickly understand the impact of a data breach and must rapidly share many details about it with customers and regulators. The new GDPR regulations make it critical to ramp up efforts so that vulnerabilities don’t turn into data breaches. After all, if you can prevent breaches from happening, then you don’t have to worry about the 72-hour notification and the damage that a breach can do to your company and its customers.
Since most breaches are caused by known vulnerabilities – ones in which a patch is available at the time of the breach – organizations need strong SecOps solutions to identify vulnerabilities, prioritize threats based on impact, and rapidly remediate them. BMC’s SecOps solutions give security and operations teams actionable analysis and contextual awareness to find and fix vulnerabilities and prioritize them based on their business impact.
Implement strategies for risk mitigation and privacy by design
The changes to GDPR stress the importance of having controls in place and being audit ready. This involves demonstrating that you’ve deployed and implemented privacy controls to mitigate risks and can identify who has access to personal or sensitive data.
BMC’s SecOps solutions help ensure security and compliance in multi-cloud environments, data centers, and in the development of new apps. They provide actionable plans to help address security concerns based on best practices and policies, enabling changes to be made before apps are released.
Combined with BMC Discovery, IT organizations can also identify the full extent of the IT landscape, identifying potential blind spots in the form of unregistered services or zombie servers that may create an entry point for hackers.
Leverage tools that enable consistent governance and fast compliance
While there are plenty of measures you can take to prevent attacks and minimize risk, the hackers and their tools continue to evolve. Under GDPR, you also have to be able to quickly assess the extent of a data breach.
BMC’s SecOps solutions help you understand where vulnerabilities exist in your environment and how they relate to critical business systems. This helps you quickly understand what servers are potentially exposed and demonstrate what you have done to mitigate risk.
Whether you’re just getting started with your plan for the GDPR, or want more details on the changes and how they impact you, be sure to read the Forrester Brief: You Need An Action Plan for the GDPR.
By the way, your efforts to implement these changes can also help you deal with issues beyond GDPR, such as Privacy Shield – the new framework for international data transfers – and Brexit impacts to privacy strategies.
1 Rita Heimes and Sam Pfeifle, “Study: At least 28,000 DPOs needed to meet GDPR requirements,” IAPP, April 19, 2016 http://iapp.org/news/a/study-at-least-28000-dpos-needed-to-meet-gdpr-requirements/↩
- 10 Surprising Findings about Operationalizing Security
- GDPR – What it Means and Why You May Be Missing the Opportunity.
- When Timing Is Everything — Integrating SecOps with Operations, Development and ITSM
- Vulnerability Management in 2017: Knowing Is Still Only Half the Battle
- Insider Threats: The Good, the Bad, and the Ugly