If you’re reading this, there is a good chance that you’re keenly aware that Europe’s impending General Data Protection Regulation (GDPR) is just around the corner. In fact, at the present moment, those of us residing or processing data in the EU have just five months to get our complex, data-rich houses in order and adhere to new data processing and handling requirements set forth by the GDPR.
Here at Dtex, we find ourselves at an interesting intersection – as both an organization with a strong business presence in Europe and a diverse customer base comprised of global enterprises, and a security provider with capabilities integral to meeting critical new data security and protection requirements.
We’ve been working closely with several customers and prospective customers over the course of the last year to serve as a resource and collaborator in carving the path to compliance. While there have been many noteworthy discoveries made throughout this process in working with businesses of all types and sizes, what I’ve found particularly encouraging is a significant effort and investment in a critical first step: information discovery and mapping. What’s been equally compelling, however, is the emergence of a consistent pattern: this completion of step one, rather than leading to a step two, results in a state of paralysis due to guidelines that are largely subjective and the absence of a clear, one-size-fits-all solution.
And this certainly isn’t unique to this particular group of organizations we’ve been working with; in fact, it seems widespread confusion and uncertainty have found a majority of companies either quite unprepared for this milestone, or falling prey to a false sense of confidence. A survey of global organizations released just a few months ago found that only 10 percent of respondents – including those in the UK – believe their company to be 100 percent ready and GDPR compliant. Additionally, a staggering 37 percent of respondents reported that they still didn’t know whether they needed to comply with GDPR while 28 percent were fairly certain they have no need to.
This gap in knowledge and preparedness, while initially alarming, is actually quite understandable from our perspective. As alluded to earlier, GDPR requirements in their current form are by no means what should be considered a detailed, prescribed action plan. The notion of ensuring security is ‘appropriate to risk,’ as Article 5 calls for, requires both a thorough understanding of your organization’s unique information security needs and the ability to prioritize those needs by weighing the level of data sensitivity alongside a perceived level of vulnerability.
It’s worth re-emphasizing that going through the process of information discovery is hugely important. The only way to safeguard all potential sources of sensitive and identifiable information, after all, is to have a comprehensive understanding of what’s being collected, where it’s being stored, and who it’s being shared with. But merely knowing where data enters and subsequently lives is not sufficient when it comes to proving compliance, and is just one small piece of the data security and protection puzzle.
In a majority of cases, the transition to a risk-based framework – if done right – requires the complete reprogramming of enterprise security posture… which sounds overwhelming at best, and utterly crippling at worst. But we believe that the GDPR presents the opportunity to rewrite your security agenda for the long term, as a core element of your business strategy, rather than zeroing in on a quick fix for achieving the short-term goal of compliance.
So perhaps unsurprisingly, we find ourselves emphasizing the same foundational principles when it comes to achieving GDPR compliance that we underscore in broader discussions around establishing a comprehensive enterprise security defense system: a layered approach, focused not just on prevention but also detection and mitigation, with solutions proven to be both sustainable and scalable, and capable of delivering actionable intelligence.
Because just as threat landscape is evolving at a rapid rate, faster than we can keep pace with, new compliance regulations and security requirements will only continue to multiply.
**GDPR compliance is a highly complex subject, and there is certainly much more ground to cover when it comes to data protection and security. We hope you’ll check back over the next few months as we dive into a number of more pointed subjects and continue this ‘GDPR Countdown’ series.