Security Compliance and GDPR in the EU

In this post, we will discuss the importance of security compliance and the General Data Protection Regulation (GDPR) in the European Union (EU). We will explore the significance of going beyond the minimum legal requirements to ensure data security and the potential repercussions of failing to do so.

Adhering to recent GDPR and other legislation is a good start, as this may assist your organization in avoiding potential heavy fines or penalties. But is ticking boxes really enough?

The wording used in the legislation can often be quite vague and provide a fair amount of leeway in interpretation when fines and penalties are applied. It makes good business sense to ensure applied security measures exceed legal requirements.

As a society, we are entering the fourth Industrial Revolution, the Information Age. (Technologies that include Hardware, Software, and Biology and emphasize advances in communication and connectivity.)

Organizations today are collecting and storing an enormous amount of data. Much of this data is provided either implicitly or explicitly by customers, staff, and other external third parties and may be personal or confidential in nature. This data needs to be protected from theft and corruption by cybercriminals!

Cybercriminals are persistent and innovative. The techniques they use are forever evolving and changing; they will always remain ahead of slow-moving legislation that's designed to stop them. It’s imperative to have your IT Security assessed on an ongoing basis. Cyber Security is not a once-off activity.

It is the social responsibility of companies to go beyond minimum legal requirements to ensure that the data they collect and store is not just legally secure but is as secure as can be. We need to set a higher standard of internal compliance. Cybercriminals don’t care about legal minimum requirements.

The question we need to ask is not “Are we compliant?”, we need to ask, “Are we secure? Is our data as safe as can be from the latest threats?” This question causes us to pause for a moment and reflect on another question: “What are the latest threats?” We cannot defend against the unknown.

What Types Of Privacy Data Does The GDPR Protect?

• Basic identity information such as name, address, and ID numbers.
• Web data such as location, IP address, cookie data, and RFID tags.
• Health and genetic data.
• Biometric data.
• Racial or ethnic data.
• Political opinions.
• Sexual orientation.

Information Security Is NOT An IT Responsibility

Information and data security are separate issues from your day-to-day IT issues. Think of your data as a library; the librarian is responsible for the tracking, sorting, and storing of data, but you wouldn’t expect the Librarian to be the security guard too.

To truly understand your current data security vulnerabilities, you will need the services of an independent Cyber Security Specialist. Even if you do have an internal CSO, an independent neutral third set of eyes is always a good idea.

Why Is IT Security Compliance Important?

A data breach or hack may not only have immediate financial implications but could also result in further repercussions for the business from which your organization may never recover.

Any breach or loss of data must now be reported to the Data Commissioner within 72 hours of the event. The news of the breach may reach the public domain, leading to a loss of reputation and future business, based on the findings of the RSA report below.

An alarming statistic for companies that deal with consumer data is the 62% of respondents to the RSA report who say they would blame the company for their lost data in the event of a breach, not the hacker. This is a clear message from your customers: if we give you our information, we expect YOU to keep it safe.

The report also shows that consumers will not easily forgive a company once a breach exposing their personal data occurs. 72% of US respondents said they would boycott a company that appeared to disregard the protection of their data. Can your organization afford to lose 72% of its customers?

Fifty percent of all respondents said they would be more likely to shop at a company that could prove it takes data protection seriously. Going above and beyond the legally required minimum compliance is a powerful marketing message that your organization can leverage.

According to the report, 41% of respondents said they intentionally falsify data when signing up for services online. Security concerns, a wish to avoid unwanted marketing, or the risk of having their data resold were among their top concerns. We need to be open and honest in our dealings with clients regarding what information we collect, why we need it, what we do with it, and how we keep it safe.