The National Weather Service in the US has a Tsunami readiness program. If a huge wave passes through one of the monitored locations throughout the Pacific Ocean, an alert is triggered, and those living in potential landing zones are warned. It’s a smart system, and it has already prevented deaths. Imagine, though, that someone simply ignored the warnings? How foolish! In a similar way, though, in the EU tech space, a tsunami is coming next year, and few are heeding the warning signals. The GDPR (General Data Protection Regulation) will be implemented starting in May 2018. The tsunami is coming, and firms would be wise to prepare.
The GDPR, on the face of it, seems fairly simple. Data subjects, including all employees, end users, customers, etc, are empowered to file a claim against an entity if their data is not protected according to the new regulations. And if the claim is seen as valid, the EU has the right to levy substantial fines for violations – up to €20 million or 4% of the total annual revenue of the company. Large companies with substantial revenue could face unbelievable fines if found in violation. The shocking part of this story is that less than half of US companies (according to a recent survey by Imperva), are preparing to make the necessary changes to protect themselves from this sort of fine. The reality is that for businesses working in the EU, the time for preparation is now. Fines could be huge and a lack of preparedness could significantly injure the company.
There are a number of important things that should happen immediately if a company is wanting to protect itself from the potential dangers inherent in this new law. First, companies should begin by identifying what personal data they are in possession of, based on the specific legal requirements. Next, companies should analyze how much of that personal data is currently at risk of exposure. This step would require a careful analysis of where personal data is stored within the company infrastructure, and who has access to that particular portion of infrastructure. Finally, a company should take necessary measures to ensure that access to those portions of their internal infrastructure is carefully secured. Failure to take these preventative steps could potentially have negative impacts.
There are some third party software options that can help you prepare for this event. IBM offers a very useful security suite called the Security Guardium. The software allows you to locate the points where your personal data is at risk and then will help you to fix any issues that it finds. It will also allow you to monitor the activity of different users and protect all personal data from unauthorized access. Finally, it carries an automated compliance evaluation which helps managers keep a constant watch over the potential threats and manage them rapidly.
With the tsunami of GDPR coming, it would be wise to start the process now. Whether companies utilize the IBM solution or take it in house, the warning is here, and preparation is key to success.