The journey to GDPR compliance is certainly not going to be without its challenges – as highlighted in my last few blog posts. But once you’ve successfully hit your targets around data discovery and readiness, you will have overcome some of the most difficult hurdles.
It’s now time to implement, or enhance, your data protection strategy so that it fits with the GDPR’s strict rules.
Under Article 32 of the new regulation, organisations will be compelled to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […] including the pseudonymisation and encryption of personal data”. The ruling also states that organisations must safeguard against the unauthorised disclosure of, or access to, personal data.
What’s more, Article 34 states that, if an organisation is breached but has "implemented appropriate technical and organisational protection measures […] such as encryption", it can avoid the regulation's breach notification requirement, as well as the resultant administrative costs and reputational damage.
Encryption, then, is critical to getting the GDPR right.
And more organisations are seeing this measure as a critical security practice to meet privacy requirements. In fact, in our most recent EU Data Threat Report, over half of UK businesses (57%) selected encryption as the top control planned to address requirements outlined in the GDPR.
While it’s certainly encouraging to see businesses understanding the value encryption has in protecting sensitive data, there is still more work to be done when it comes to implementation. This year, we revealed that just 41 percent of businesses worldwide have a consistent enterprise-wide encryption strategy in place – with 65 percent of German companies deploying encryption across the business and 42 percent in both the UK and France.
As the May 2018 deadline looms, businesses without a consistent enterprise-wide encryption strategy in place need to start rethinking how they will protect customers’ data and be compliant.
So, here are some steps to get you started:
- Outline a pilot project, starting with a subset of customer data
- Implement an encryption or pseudonymisation tool
- Generate audit logs that show evidence of attempts to access sensitive personal data
- If unauthorised access was successful, address the vulnerability
- Conduct penetration testing of your network to identify additional vulnerabilities
Taking the time to do this now will, undeniably, work to your advantage once the GDPR deadline arrives.
As this is my final post in our ‘Journey to GDPR’ series, I hope that you now feel more prepared for the impending regulation and can confidently see the steps your organisation needs to take to ensure it is fit for GDPR.
But should you need more information on the GDPR, do check out the plenty of resources we have on the Thales eSecurity website.