GDPR (the General Data Protection Regulation) goes into effect today, May 25. You’ve probably been receiving a stream of notifications from numerous companies announcing updated privacy policies or asking you to re-confirm your subscriptions to their email lists in light of the new regulations. The regulation, adopted in 2016 in the EU and now going into effect, is intended to protect private party’s data and give EU citizens increased control over how their data is collected, used and stored. It’s important to recognize that the regulation does not apply only to businesses in EU member states, but to any organization who processes the personal data of EU citizens.
While many organizations have been preparing for months, some organizations may still be unsure what is required or how to ensure they are complying with the new requirements. The regulation sets guidelines for protecting data and sets massive potential fines for failure to comply. The maximum fines could be 4% of the organizations global annual turnover, or €20M, whichever is greater. From a security perspective, GDPR requires that data controllers report security incidents where personal data is compromised within 72 hours. Meeting this requirement may prove difficult for organizations who may not discover data breaches for weeks to months after they occur because they lack the necessary security visibility to detect and alert on potential incidents as they occur. A 2017 Ponemon study on the Cost of a Data Breach found that it took US companies an average of 206 days to detect a data breach. This is a troubling statistic that points to companies not taking the necessary steps to monitor their information security; struggling with the resources, people, or tools necessary to identify problems in a timely manner and mitigate the impact.
Does your security program align with GDPR requirements? To help you better understand what’s required and the areas where Cygilant can help, we’ve put together this free workbook: