Page 9 - Cyber Warnings
P. 9
The Necessary Hassle of Data Regulations
As more and more personal and organizational data falls under threat, increasing security
measures and legislation have been put in place. These efforts have culminated in the GDPR,
perhaps the apex of all data laws. The GDPR’s official site calls it “the most important change in
data privacy regulation in 20 years.” One journalist likened it to the all-seeing Eye of Sauron
from the Lord of the Rings trilogy.
The regulation covers both EU citizens and citizens of any other country residing in the EU. The
goal of the GDPR is admirable: to unify data security, retention and governance legislation
across EU member states to protect its population’s data. All companies processing the
personal data of people residing in the EU, regardless of the company’s location, must comply.
In other words, it’s a jurisdictional nightmare.
This legislation, which takes effect in May 2018, requires greater oversight of where and how
sensitive data—such as personal, banking, health and credit card information—is stored and
transferred. Most organizations will need to appoint a data privacy officer who reports to a
regional authority, as well. EU residents have new rights, including data portability, the right to
be forgotten (erasure) and to be notified within 72 hours of the discovery of a data breach.
To emphasize the importance of adherence to the GDPR, the EU has included significant fines
for non-compliance. Organizations can be fined up to four percent of annual global revenue
or €20 million – whichever is greater. It’s important to understand that these rules apply to both
controllers and processors, which means clouds will not be exempt.
In light of the dire financial consequences, and with the compliance deadline just a little over a
year away, one would assume organizations are rapidly transforming their data classification,
handling and storage methods to conform to the new ruling. But research findings from The
Global Databerg Report (a survey of roughly 2,500 senior technology decision makers in 2016
across Europe, the Middle East, Africa, the U.S. and Asia Pacific) says that 54 percent of
organizations have not advanced their GDPR compliance readiness.
What’s the hold-up? Well, the problem is that the GDPR is requiring organizations to address
some of their thorniest data challenges, including fragmentation of data and loss of visibility.
Cloud-based services and BYOD have only added to the confusion and, along with the default
behaviors of data hoarding and poor management, create a “databerg” (see the report above)
that becomes as dangerous and expensive as the iceberg that sank the Titanic.
Affected organizations have three options regarding GDPR compliance. They can ignore it,
which is unwise on several levels. They can spend the next year scrambling to erect
infrastructure and processes and deploy personnel to make sure they meet the stringent
requirements.
Finally, they can remove the relevant data altogether from the GDPR’s jurisdiction. Which
means taking it offworld.
9 Cyber Warnings E-Magazine February 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
