Navigating the complexities of GDPR
By Justin Chiah, Senior Director and General Manager, Southeast Asia & Taiwan, Aruba
We have all read it on the news—the General Data Protection Regulation (GDPR) will be enforced on 25 May 2018 and it has stirred waves of confusion and concern across the European Union (EU). Now, as more information on GDPR has spread across the Atlantic Ocean to the shores of Asia Pacific, we are seeing a ripple effect take place with more businesses in the region sitting up and taking notice.
And with good reason. A data breach due to failure in compliance with GDPR may cost businesses a hefty fine of up to 4 percent of annual global turnover or US$24.63 Million (whichever is greater).
The GDPR looks to harmonize data privacy laws across Europe to protect the Personal Identifiable Information (PII) related to an EU individual, independent of where that data is stored in the world. A single EU-based customer with personal information in any business database will warrant the need for the organization to be GDPR compliant—even if you’re a small business! This means that the need to be GDPR-compliant by the stipulated deadline is not limited to EU-based businesses only; it will affect businesses globally.
While it seems like businesses in Asia are starting to pay more attention to the coming GDPR implementation, a recent study conducted in April 2017 reported that more than half of businesses in Singapore, Japan and South Korea are among the least prepared for the upcoming data privacy laws. In fact, 56 percent of Singapore-based companies are worried that they would not be able to meet the deadline for GDPR compliance.
What should businesses in Singapore and Malaysia do?
The GDPR can prove to be daunting given that it sets to reshape the way organizations across the world approach data privacy. As such, we have identified key issues and steps to take for organization to safeguard their customer’s data and be on the path toward GDPR compliance:
- Assessing risk of breach
While no single product or combination of security solutions will guarantee a 100 percent breach-free future, all businesses will need to kick-start their journey to GDPR compliance today by conducting a thorough data-audit on both online and offline activities to assess if your websites are directly offering goods or services to individuals in the EU. Should there be any personal data information of an EU individual detected, businesses need to ensure that sufficient funds and personnel are set aside to ensure that the journey to compliance is complete.
- Appointing a Data Protection Officer (DPO)
Part of being GDPR-compliant includes appointing a DPO to sit at the cross roads of business process, IT systems and security. The DPO needs to have a firm understanding of the GDPR regulations as he/she will be responsible for monitoring the compliance of the business, facilitating and reviewing data protection impacts and providing a central point of communication and mediation in the event of a data breach.
- Prioritizing an always-on security strategy
According to the GDPR, it stipulates that businesses are required to adhere to a strict and mandatory 72-hour personal data breach reporting rule. Subsequently, this should be followed up with a plan of containment and remediation—with the hopes of avoiding significant penalties. However, with the recent advancements in security technology, businesses will be able to get some help in expediting this process. Through continuous monitoring and advanced attack detection software, businesses can assemble and communicate critical information about the breach in a short period of time.
With increasing mobile access, organizations need to ensure that proper access is maintained to tightly control who and what is authorized to access personal information. A reliable network access control (NAC) and policy management solution ensures discovery, role-based access to IT assets and closed-loop, policy-based attack response.
The WannaCry and Petya breaches that happened last year are an indication of how sophisticated attacks are now designed specifically to evade traditional security defenses. Singaporean and Malaysian businesses should introduce an additional level of monitoring that complements existing defenses, one that utilizes new types of attack detection such as machine learning to find small changes in behavior indicative of an attack.
As the network continues to grow exponentially, IT systems are running to keep up. GDPR is just the beginning of a bigger security concern that is never going to go away. More importantly, even without the implementation of the GDPR, businesses should aim to adhere to its guidelines for the safety of their customers’ and employee’s data.