This subject will address different demands within the compliance rules that all global companies should follow.
Privacy is not a new topic for the security industry, especially with the digital transformation and multiplication of connected devices able to collect information from their users. However, with the EEUU General Data Protection Regulation (GDPR), this topic is in the market focus.
Even if your company does not have operations in that continent, with globalization it is reasonable to consider that at least one of your clients is a European citizen; consequently, data protection requirements can be applied to your business if you collect, store or process data from a natural person from one of the countries of the European Union.
One of the main points of the GDPR data protection rules is transparency. This subject will address different demands within the compliance rules that all global companies should follow.
Data is sovereign
It is not possible to think about transparency if your company does not know what to be transparent about. In other words, without knowing the data, it is impossible to protect it and respond to the requirements of GDPR or any other data legislation.
Knowing the origin of the data is a requirement for an efficient security policy. Therefore, before thinking about classifying data to meet GDPR, it is important to classify data as part of your company’s secure service to customers.
To achieve full reporting capability with transparency within the rules of the regulation, it will be important to carefully manage the data collected. This means classifying them, keeping detailed records of all processing and a retention schedule. Remember that data can not be processed without the consent of its holders.
Data management will be critical and will reflect the level of agility that companies will be able to report whenever necessary – either to respond to regulatory institutions or to respond to GDPR-assisted users, who are entitled to obtain a copy of their data recorded.
To manage the data correctly, companies will need to invest in technologies that allow them to comply with the rules of the regulation. This is one of the great challenges for the whole market. Only 7% of companies comply with the GDPR.
The adoption of information security controls will really be indispensable. Companies that do not yet have well-defined security policies will need to promote this transformation because policy must guide which controls are appropriate to protect data, how to sort, to store and to register logs.
Which controls are appropriate to protect the data of your customers? Each company will need to assess what types of data it manages to get the answer. However, some controls are common, considering the frequent forms of acquisition and storage of data:
- Encryption – This technology enables active protection for applications, protection for storage and protection for data in transit (with VPN networks). Is crucial to protect information;
- Protection for Web applications – With the massive presence of companies on the web and the use of cloud services, it is important to adopt systemd for application control, intrusion prevention, Web application scanning and maintain protocols up to date (SSL/TLS);
- Records consolidation – To facilitate the GDPR compliance process, as with other standards and legislation, log consolidation technologies can facilitate and streamline the reporting process.
A key point for data security will be the cautious management of service providers. The collection, retention and processing of data as expected by GDPR will consequently affect the sharing of data with third parties. Therefore, responsibilities for data protection and data use should be very clear during contract.
For example, your company controls customer data and needs to share this data with a carrier for delivery of a product or document. The vendor processes the customer’s data to proceed with cycle. It is vital that both parties work together to define how this cycle can be implemented within the rules of the regulation.
In fact, the controller and the processor of data can be held responsible for violating GDPR. However, in the position of controller, it is essential that your company handles this subject closely. Even if a supplier suffers a security breach, your company will be held liable.
Tip: Just as sorting data is crucial to comply with GDPR, sorting your vendors is crucial to raise data security. Know data shared with each provider, how sensitive data shared is and so on. Then, develop strategies to manage external service providers.
Debate on how to meet GDPR requirements are still needed. In any case, remember that this regulation will influence corporate mindset around the world to respect information security. This will be the great transformation promoted by the regulation. To provide data privacy and transparency, it will ultimately be mandatory to view cybersecurity technology as a great ally capable of protecting infrastructures, devices users and corporate data more comprehensively.