With the one-year anniversary of the General Data Protection Regulation (GDPR) just passed, it’s interesting to see whether the climate of fear, uncertainly and doubt that pervaded the cybersecurity ecosystem was justified.
Serious questions were being asked about whether companies could get themselves ready for the compliance mandate, and whether business-crippling fines would be handed out to those who couldn’t. For a closer look at how the current compliance landscape looks one-year on from the implementation of the GDPR, check out this blog we published on the anniversary date.
Companies in the USA were not wholly exempt from the GDPR. If they stored or processed data relating to EU citizens, then they were bound by the regulations. However, even if that US-based company was entirely domestic in the data it stored, it can still benefit from taking lessons from the GDPR.
Here are just a few ways I believe that the GDPR can help organizations in the US when it comes to their data security practices and processes.
The GDPR Encourages Proactive Assessments of Data Security
One of the most widely reported aspects of the GDPR is that it requires organizations to report a breach within 72 hours of discovery. The report that the GDPR requires is not a simple notification that a breach has occurred. You are required to include specific details about the breach, who was affected, consequences, why the breach happened and what you plan to do in reaction to it.
This has led to many organizations creating detailed incident response plans and regularly reviewing the state of their data security. Security practices and processes have to be developed and streamlined to the point where you would be able to provide reports to authorities with the level of detail they’re looking for.
Companies in the USA can take serious lessons from the steps you need to take to be able to report a breach within 72 hours. Do you know where all your sensitive data is, and which compliance mandates it relates to? Do you know who has access to this data and do they need access? Do you know what changes are being made to your data that could affect its security and integrity? Have you hired a DPO? Have you got a tried and tested incident response plan?
These are all critical aspects of being GDPR compliance and critical aspects of being secure in general. Even if GDPR compliance doesn’t apply to you, proactive, regular assessments of your data security are only a good thing.
Internet of Things (IoT) is No Longer an Afterthought
Visibility into the effect that the Internet of Things (IoT) has on your data security is a primary concern of GDPR compliance. The potential attack surface has drastically increased thanks to the increasing number of connected endpoints, and this is raising significant challenges for security teams.
You can’t ignore IoT technology, it definitely has its uses. But if you’re going to introduce IoT technology into your environment then you must be able to do this without introducing risks to your data security.
Companies in the USA can take lessons from how organizations bound by GPDR have gone about solving this problem. Many organizations are deploying network visibility technology that allows them to get a real, in-depth understanding on the security of their network infrastructure, identifying potential weak points that attackers could exploit and reinforcing them.
Getting Ready for GDPR Can Prepare You for Forthcoming US Regulations
We have already seen the effect the GDPR is having in relation to other data privacy regulations that are being introduced worldwide. The most comparable of these is the California Consumer Privacy Act (CCPA) that appears to have taken direct inspiration from the GDPR.
US organizations should look at the GDPR and assess whether they would fall short of compliance. If you are GDPR compliant, then the chances are you will already be compliant with any new privacy regulations being introduced throughout the US.