We’re now entering the final “25 Days of GDPR” countdown; and by May 25th your organization must be compliant with all of the General Data Protections Regulations (“the GDPR”) or face stiff penalties for non-compliance. Although the regulation is technically only applicable to data of EU residents, because of the very nature of online services, pretty much ANY organization with a public website will need to comply to some extent.
There’s almost no doubt you’ve read about the GDPR ad-nauseum in the past few months, probably years. But in the countless pages and articles written on the subject, there is a lot of scare tactics, but very little actionable suggestions. There is no one “magic bullet” you can buy and install that will give you 100% GDPR compliance. The privacy regulations must be tackled on many different fronts, with a variety of technologies, settings, and policies. In these final 25 days to compliance, there are a few easy steps you can still take to safeguard your organization:
- Know Your Data and Your Providers: Simply being able to track down where your customer or visitor data is stored will go a long way to protecting it. This includes all logs, backups, and 3rd party services providing storage, metrics or other analysis services. Make sure you have an agreement in place with these 3rd parties and understand how they comply with the GDPR. For example, Google Analytics offers a GDPR amendment to their standard agreement which you can choose to add to your account.
- Protect Your Data, At-Rest: As a basic start, all mobile devices used to conduct business need to be encrypted. Full-Disk Encryption (FDE) is the easiest way: many mobile platforms offer this as a built-in option, and tools like BitLocker for Windows make it easy to apply FDE to your laptop. Going further, your On-Premise server infrastructure must have proper security and access controls in place to control both physical access and network access. Your cloud online services similarly must have the same protections. Now is a great time to have a conversation with all your cloud providers to determine how and where your data is stored and what access controls are in place. Also make sure you fully understand how ports and protocols are locked down.
- Protect Your Data In-Transit: If you’re in a regulated industry like financial services or healthcare, this is something your organization should already have on lock-down. But this new regulation may be the final push that the executive team needs to justify the time and expense of applying additional safeguards to your in-transit data. Article 32 states that both the data controller and processor must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including…encryption of personal data”. Yes, you can argue that there is not a strong enough risk to require encryption of your communications, but would that argument satisfy a judge, or your users? With the easy availability of secure transmission protocols like HTTPS for web, SFTP and SCP for file transfer, and STARTTLS for email, there really is no justification to transmit any personal data in the clear, no matter the sensitivity or risk.
GlobalCerts offers a turn-key solution to ensure your email communications are secure. You can tailor the level of security depending on the threat profile: From server-to-server TLS to provide simple but secure protection, to more sophisticated S/MIME signatures and encryption with your business partners. Our advanced Data Leak Prevention (DLP) technology allows you to scan all outbound mail for sensitive user information and automatically block its release, or encrypt it. With an estimated 56% of data breaches in healthcare arising internally, mostly from human error or data misuse, DLP is becoming an absolute must.
Council of the European Union (2016, April 6) General Data Protection Regulation. Retrieved from http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
Verizon, (2018, April). 2018 Data Breach Investigations Report, 11th edition. Retrieved from https://www.verizonenterprise.com/verizon-insights-lab/dbir/