Eight Ways CSOs Can Prepare For European Union GDPR Compliance

Believing the misconception that compliance and security are the same can have a significant negative impact on an organization’s security program—and on its business overall. The European Union’s General Protection Data Regulation (GPPR), set to take effect in May 2018 and will impact any organization that does business internationally, is shedding light on the fact that current corporate security infrastructures are not facilitating both security and compliance. Within the next 12 months, businesses will need to increase their security measures to protect corporate information as well as employee and customer data effectively. In this eWEEK slide show, Citrix Chief Security Officer Stan Black explains why and offers eight tips to help organizations improve their overall security while at the same time ensuring they are compliant.   

According to a global survey from Citrix and the Ponemon Institute, 67 percent of organizations are aware of GDPR, but only half have started to prepare for it and allocated budget. Enterprises need to take a deep dive into the technical and organizational measures the regulation mandates, including data minimalization and controls around data protection, processing, storage, collaboration and accessibility.

The survey found the GDPR will have a significant and negative impact on business operations. As such, to ensure their organization is not scrambling in May 2018 to meet the GDPR requirements, CSOs need to make it top of mind and enlist all necessary parties from the finance, compliance and security departments during preparation.

The GDPR is being instituted to ensure organizations better protect personal data from damaging data breaches. The need for user privacy as a driving force for compliance represents a turning point in the security and technology industries. Therefore, key business stakeholders must agree on what privacy means to the organization and shift their mindset to improve their overall security infrastructure.

While organizations may want to invest in new security technologies to meet compliance regulations, they also should consider IT investments that influence how sensitive corporate and customer data is transferred. If an organization allows employees to BYOD (bring your own device), for example, centralizing applications and data in the data center or cloud can help ensure business-related information is not stored on a device.

As artificial intelligence, machine learning, internet of things and other emerging technologies prove useful in an enterprise environment, organizations must factor them into their overall GDPR compliance strategy. Their non-traditional data-collection methods could inadvertently expose data that should be protected. Conversely, IoT-enabled devices could provide contextual data about users that can help an organization better harden its infrastructure.

The survey found more than half of businesses are concerned about the increased global effects GDPR will bring. That said, organizations should not drop all other security projects in the works. Organizations must consider different ways to improve their overall security architecture, such as working secure coding practices into the development cycle for business applications and educating the workforce on security policies and best practices.

The first organization to be caught in violation of the GDPR won’t get a free pass, facing penalties of up to 100 million euros. That’s why 65 percent of global businesses are most concerned about the financial implications of these regulations, according to the survey. Companies should plan for the worst-case scenario and take a strategic approach to find comprehensive solutions that fit their business needs.

As with any new framework, organizations should create a clear checklist of goals, success metrics and a corresponding timeline to stay on track with its overall compliance and privacy strategy. While May 2018 is a year away, one small misstep might mean a compliance and budget headache or setback.