The new GDPR (General Data Protection Regulation- see the full document here ) issued by the EU earlier this year raises many questions among compliance and privacy officers. Who is required to comply with the GDPR and are companies really expected to revamp the entire way they handle customer privacy?
What exactly is GDPR?
The word “GDPR” seems to create a sense of frustration among compliance and privacy officers – understandably so.
The GDPR (General Data Protection Regulation), issued by the EU earlier this year, completely changes the way organizations handle their customers’ sensitive data. Considering that some companies have dozens or even hundreds of applications containing sensitive data – this will have a huge impact on their budget and plans for 2017.
But are companies really expected to revamp the entire way they handle processing and customer data in less than two years?
Well… not necessarily.
With a deeper understanding of GDPR, it is indeed possible to be ready for the GDPR before it officially goes into effect and without reconstructing the entire way the organization handles customer information.
The first thing to understand about the GDPR is that it is, essentially, aimed at protecting data, mostly individuals and private information obtained as part of doing business. This means, first and foremost, that any organization must be compliant with the GDPR if they have any private information on EU persons.
Yes, even if the organization itself is not based in the EU.
Second, the GDPR regulation itself focuses heavily on the processes applied on personal data processing.
GDPR directs organizations to make sure that personal data processed (or viewed) will be maintained and kept only for the original purpose, and that the data subjects have given explicit consent.
To make sure all guidelines are met, the regulation requires the construction of processes that ensure all data is handled properly. /
The organization is required to purge data when not needed, or when explicitly requested by the data subject.
In addition to the private data handling processes that organizations are required to construct, there are several other domains they need to technically address to protect data by default and by design.
For instance, Identity and Access Management, Pseudonymization/Encryption, deletion/erasure (the right to be forgotten) and more.
Naturally, without a proper solution, organizations would have to undertake great changes to their applications to apply proper identity and access controls, permission management and full audit, so every sensitive data held in their systems will be both protected, and fully audited to the level required. This would be frustrating indeed, to say the least.
Alternatively, the ideal GDPR solution would allow full compliance with the requirements in the above domains, with minimal changes so it is relatively easy to implement, doesn’t require a complete infrastructure revamp of the applications and the business, and would be deployed quickly so organizations can be compliant in time, without the risk of being fined.
Effect on Cybersecurity industry
One final note- implementing GDPR requires substantial resources and managerial attention. The focus on complying with GDPR is expected to divert resources and attention from “classic” cybersecurity products procurement, and as a result, we foresee that smaller cybersecurity companies will face greater difficulties selling to EU organizations in the coming years- the attention and willingness to examine and purchase new solutions will simply be elsewhere.