What is GDPR? What are the risks?
“D” Day, “Data” Day, is looming, and the General Data Protection Regulation (GDPR) leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data but does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
The directive requires “appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.” The Directive’s requirement of data security is to “ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected”.
Sixty-Two percent of respondents to a recent RSA Data Privacy & Security Report say that they would blame the company for their lost data in the event of a breach, not the hacker. Seventy-two percent of US respondents said they would boycott a company that appeared to disregard protection of their data.
Given this brief insight into some of the possible ramifications, the gravest risk is posed by the overriding possible financial penalties, associated with infringements. These are and could be devastating. Considered on a case-by-case basis, fines can vary from $12 million or 2% of the company’s global turnover for the previous year, whichever is the higher, to double that for second and subsequent infringements.
So, the race is on to minimize risk exposure. A PwC survey found that sixty-eight percent of U.S. based companies expect to spend $1 million to $10 million to meet GDPR requirements and a further nine percent expect to spend more than $10 million. Although more recent surveys, like Propeller Insights, indicate that those figures are on the high side this may well change post May 25th when Companies start to be held accountable and the EU levies the first fines.
What precautions have you taken?
For those companies that primarily rely on individual’s data to operate their organization, the risk factors are much higher. For companies that are not so individual data centric, the risks remain but revolve around more day-to-day possible risk exposures factors.
The four biggest “Risk factors”:
- Documents / Data leaving the confines of your secure system for any reason.
- Unauthorized access and/or copying of Documents/ Data before, during, and after they have been utilized, for operational purposes.
- Leaving Documents unsecured while at rest and in transit, making them readily available to hackers.
- No ability to ensure comprehensive accountability in the form of audit trails, document history, and automatic notifications.
To combat these, and be ready for “D” Day your operation should be able to:
- Provide comprehensive security for, and secure controlled access to, data and documents, anywhere, anytime.
- This access to be made available for users within your organizations as well as anyone outside the organization, facilitating much wider secure and controlled collaboration and interaction.
- For those outside the organization access by default is view-only with pre-definable options to allow edits, with automatic and mandatory accountability and tracking.
- Once opened, users have access to the designated document only, it’s respective metadata, collaboration comments and history.
- All actions, regardless of level of user must be tracked, logged, and automatic notifications sent, if applicable. This record to then be readily available via audit.
- Prevent access to the documents at rest or in transit, by hackers, by providing one or more layers of encryption.
Data Defenses Ready
The ability to meet the GDPR challenge for U.S. and European companies alike remains a combination of defining obligations and responsibilities, then reviewing and refining operational policies, procedures, and processes to address them. Companies must learn to view risk and high risk alike from an EU perspective.
This will ensure that risk areas are minimized and accountability is optimized. When breaches do occur, they will be identified as quickly as possible, reported to the responsible supervisory authority within 72 hours of said breach, and effective resolutions initiated.
All this can be achieved with Contentverse – Enterprise Document Management, incorporating Content Sentinel, in your business environment.
For more information https://computhink.com.Contentverse