As if PCI, SOX, HIPAA, GLB, and all the other alphabet-soup regulations aren’t enough to bog down your security program, we now have a new one rearing its ugly head. The new regulation is the European Union General Data Protection Regulation – or GDPR – and it applies to most of us, whether we like it or not…or at least it will apply to most of us when it kicks in in early 2018.
In general GDPR aims to provide citizens of the EU with clear and understandable information with regard to the processing, storage, use, and above all protection of their personal information by organizations that possess and process it. One major factor of GDPR, and perhaps the most challenging for IT organizations, is the requirement to notify both individuals and the relevant data authority “without undue delay, where feasible within 72 hours if data is unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorized persons, where there is a risk to individuals’ rights.”
What this all means is that if you store, process, or transmit personal data on citizens of the European Union, you are required to abide by GDPR – even if you are not a European-based organization. In other words, if you have customers that are EU citizens, you’d better pay attention to this regulation.
We recently sponsored a worldwide survey to gauge organizations’ knowledge, preparedness, and perceptions of the regulation. Without fail most organizations we asked lack sufficient knowledge, don’t feel prepared, and have many misconceptions about GDPR.
The problem is outside of the EU, very few organizations feel informed or prepared to tackle this new regulation. And those in the EU, although they know about GDPR, most don’t feel they are ready. The survey did however reveal a light at the end of the tunnel. Those organizations that felt the most prepared for GDPR had a few common security technology competencies that supported their confidence. Really it’s about doing the things we all should be doing anyway, but doing them with a little more rigor, additional oversight, and by breaking down silos wherever possible.
If you’d like to see the full results of the survey click here. If you want just the highlights check out our infographic, and if you want insight into which technologies and practices are most likely to help you achieve GDPR compliance check out our eBook.
We’ve survived the alphabet avalanche before, and we can survive the addition of GDPR now, we just have to be smart about it.
For a complete explanation of IAM’s role in GDPR compliance visit our resource page.