Businesses of all sizes and types need, use and depend on data and all are responsible for handling, securing and processing that data correctly. Already, a wide range of laws and regulations apply to data management but next year, the EU’s General Data Protection Regulation (GDPR) introduces even more stringent standards, along with severe punishments for non-compliance. Companies that haven’t already assessed their processes and practices in light of the pending new rules, need to prepare now.

This goes for companies around the world, not just those operating in the EU and that includes the UK, despite Brexit. This is because GDPR’s standards will apply to companies that hold or process information related to EU-located subjects and that affects companies far and wide.

GDPR on breach notification and data handling

The headline-grabbing article in GDPR concerns notifying data breaches. It mandates that companies report within 72 hours of becoming aware of a breach. This is a step-change from the situation today where significant incidents often go undiscovered for some considerable time. In fact, time lags have been a feature of many high-profile data breaches; take the case of Yahoo - two years had passed since the breach by the time the public were informed that data had been compromised.

According to Mandiant, it takes on average 146 days to discover a compromise. That’s the global average; European firms take on average three times longer than that. With GDPR looming, this is cause for concern.

Then there is the time it takes to get at the facts of data compromise, after a breach has been detected. Under GDPR, companies that have suffered a high risk breach will have to be in a position to fast-track the investigation because the report of the breach will have to include numbers affected, consequences and the mitigating action the company is taking or plans to take.

Gathering the data required to put together this sort of information takes a pretty in-depth investigation. Compare this to the many occasions in recent years when information about a data breach - and its implications - has come out in bits and pieces over a number of days or weeks and the challenge is clear. Only companies that have high visibility into their data centres and a system in place to rapidly identify, assess and report on any areas of concern will be able to meet GDPR demands.

GDPR also sets minimum standards for handling and securing personal data, including subjects’ ‘right to be forgotten’ and ‘right to access’. This requires companies to provide the information they hold on demand, and to remove data from their system if the data subject in question no longer consents to them holding it. This has significant impact on company policies and processes around the data centre.

Companies will need high-level data visibility and control

Pete Hulme, Data Centre Technical Lead at Dimension Data, says: “In many organisations, data management has grown over time; this regulation is a cogent reminder that as things evolve, companies need to maintain visibility and control of their data so that they can quickly and simply take action when required.”

Despite this, many companies don’t understand what GDPR will mean for them, nor do they have an action plan in place to be ready. When the GDPR Conference Europe surveyed UK businesses, 62 per cent said they have no plans in place to prepare for GDPR and over a third said they had limited knowledge of the regulation or what they need to do to get ready for it.

No company ever wants the reputational damage of compromised data. Once GDPR comes into effect, they certainly won’t want to face the severe financial impact that will come from being in violation of its measures. With a range of fines of up to four per cent of annual global turnover, failing to adequately protect or control data will have a serious impact on the bottom line.

Companies need to take action

To help them to be compliant, Hulme recommends that companies quickly take action to:

  1. Prepare - by getting to grips with the regulation and fully appreciating the true scale and scope of the task. It won’t pay to assume that today’s measures will serve for tomorrow
  2. Assess - the data estate. Get to grips with all the data that is held, managed and handled. Technology solutions can help with this, systematically and non-intrusively assessing the current data landscape and potential exposure
  3. Re-evaluate - current processes and organisational models around data. They may need changing. Companies can often find themselves suffering the conflict of departments holding different views on the data that should be retained, archived or deleted. This needs to be resolved for effective governance and controls to be put in place
  4. Instigate - a transformation programme to catalogue, classify and appropriately manage all data
  5. Implement - a system for ongoing data management and monitoring. This includes researching the most appropriate technology solution that can help automate as much of the continuous monitoring as possible, as well as the policies and processes governing this activity.

In recent times, a plethora of data protection measures has made for a confusing landscape. While GDPR suggests simplification, it also takes data management into a new era of real and substantial financial penalties for insecure data handling. To stay the right side of the rules, companies need to prepare for GDPR with a thorough review of their data handling and the rigorous implementation of any organisational, technological or operational changes that need to be made.

As well as safeguarding companies, a rigorous approach to preparing for GDPR will also enable them to take advantage of the opportunity it represents. Businesses depend on data, both for their operations as well as for competitive differentiation and advantage. This dependency needs to be recognised by investing time in ensuring modern and effective data management and control practices and procedures are in place. In the long term, these can pay dividends, as well as protect against punishment or reputational damage from breaches.

This article was brought to you by - Dimension Data