Brexit or bust: What does it mean for data?
What’s the latest on Brexit? When the UK government triggers Article 50, it will signal the start of the official two-year countdown until the UK leaves the European Union.
While there are still many unknowns in regards to geopolitical policies and legislation that will be created, annulled, or abolished post-Brexit, the UK government has given away one handy hint when it comes to the now-infamous General Data Protection Regulation (GDPR).
This means that from May 2018, when the UK is still an EU member, the GDPR will be applicable to UK businesses. And, even when the UK exits the EU in 2019, an identical version of the GDPR will also be enforced.
Needless to say, this isn’t good news for UK organizations that have been burying their heads in the sand, hoping that this pesky EU legislation will just go away post-Brexit. Unfortunately, these rules aren’t going anywhere. It’s time for companies to wake up to the consequence of data negligence regarding the GDPR. This isn’t just infosecurity providers scaremongering for sales, and it’s not a ‘potential’ occurrence like the Y2K bug, this is actually happening.
Get your ducks in a row, or get fined
Should a sensitive data breach occur under the GDPR, the European Data Protection Board (or likely the Information Commissioner’s Office, post-Brexit) will evaluate whether the affected company has been negligent in its data protection operations and the level of compensation a company must pay affected parties—which can reach €20m or a fine of up to four percent of its global turnover. Not a pretty thought for the C-suite, which by nature is tasked with mitigating risk.
Concerningly, according to Code42’s 2016 Datastrophe Study, in which over 400 UK IT decision makers (ITDMs) were surveyed, 50 percent of them acknowledged that the security measures they have in place currently will not be enough to meet GDPR standards.
How to become compliant
The first step is for an organization to know what kind of data falls under GDPR protection, where it is stored, and for how long it should be kept. Moreover, what is the best way to secure it, to what extent that data should be backed up, and how to prevent any leaks from the inside of the company. Simple, right?
The implementation of the right endpoint security stack is vital—one that takes into consideration first-line defense, such as intrusion detection systems and antivirus solutions, right down to last line defense, to easily remediate and recover should a breach occur. The right solution is an important advantage given the number of people and devices accessing potentially sensitive corporate information.
Also, enterprises should create internal policies that promote accessibility and flexibility with approved solutions, without locking the enterprise down to the point of stifling productivity. Employees play a big role regarding the sanctity of corporate information. That is why it is vital to train and educate your staff about possible intrusions, how they can secure data themselves, and how to avoid being tricked into leaking sensitive information.
Taking these precautions will allow an organization to gain control of its own information and ensure that the CIO’s overall focus is on increasing profit and expanding technological reach, rather than worrying about the safety of the zeroes and ones.
(About the author: Nic Scott is managing director/UK at Code42 and a member of the Cloud Security Alliance. This post originally appeared on his CSA blog, which can be viewed here).