The GDPR, which came into effect on May this year, has been off to a slow start, it would seem. As it stands, the largest fine issued by the Information Commissioner’s Office (ICO) was £500,000. Although Facebook came under a lot of fire over the data breach where Cambridge Analytica scraped the personal information of more than 50 million Facebook users, this happened before the GDPR came into effect.
Even though significant data breaches have taken place since May, such as the British Airways breach, where approximately 380,000 payment cards were compromised, we are still waiting for more details about how the regulators will proceed in dealing with it.
Given that fines under the GDPR can be as much as 4% of annual turnover, BA could potentially be facing a fine as much as £500 million.
Just because no major fines have made the headlines doesn’t mean that there is no cause for concern. While the regulators themselves have been relatively quiet, under the GDPR, data subjects have elevated rights, which allows them to pursue legal action against the data collectors. As a result, a large number of lawyers have already have filed complaints against companies such as Facebook and Google, and many of these complaints are yet to be resolved.
So, Should You Still Be Concerned?
Well, given that we are only 6 months in, it is still too early to predict what will happen in the years ahead. Ultimately, it would be wise not to underestimate the potential impact of the GDPR. Providing a detailed summary of the actions that need to be taken to ensure compliance with the GDPR is beyond the scope of this post. However, as a minimum, there are some basic questions that every organization must be able to answer, which include:
- Do you know where your sensitive data is located?
- Are you able to access this data and respond to user requests in a timely manner?
- Do you have policies in place which determine who should have access to this data?
- Do you know when this data is being accessed, and by whom?
- Have you setup real-time alerts that inform you of changes made to your sensitive data?
- Do you have a means by which to automatically remove inactive/redundant user accounts?
- Are you able to detect unauthorized mailbox access?
- In the event of a data breach, are you able to generate reports which provide a detailed analysis of the events that took place prior to the breach?
What Should You Do?
If the answer to any of these questions was “no”, then it would be advisable to take action before it is too late. If you haven’t already done so, you will need to implement a solution which enables you to automatically discover and classify a wide-range of data types, including Social Security numbers, payment card details, and any other PII that you store.
Some solutions will automatically encrypt or redact the sensitive information. Likewise, you will need to implement some sort of DCAP (Data-Centric Audit & Protection) solution, which can detect, alert, report and respond to suspicious events and patterns of behaviour.
Some DCAP solutions have built-in data discovery and classification tools. They can also detect and manage inactive user accounts, remind users to reset passwords, and detect events that match a pre-defined threshold condition, such as multiple failed login attempts, or bulk file encryption. Finally, most sophisticated DCAP solutions are able to generate a wide-range of customizable reports, which can be presented to the supervisory authorities, as and when required.