Even though Australian companies don't have to comply with the General Data Protection Regulation (GDPR) when it comes into effect on Friday, that doesn't make it irrelevant. But compliance with the GDPR, our own National Data Breach (NBD) notification laws and updated privacy laws being introduced in New Zealand is not enough to ensure your systems and users are safe in today's threat landscape.
The GDPR sets rules about notification periods for data breaches, access to personal identifiable information (PII), the right to be forgotten, being able to take your data with you when you leave a service provider and an obligation to create systems so that they are secure by design.
The European Union has always favoured the protection of personal privacy over the rights of governments and law enforcement to snoop on our data. Their regulations for the protection of Personal Identifiable Information (PII) have been among the strongest in the world. But, new rules, under the General Data Protection Regulation (GDPR) which were adopted in April this year become enforceable on 25 May 2018. What does this mean for Australian businesses?
There are also some really stiff penalties for non-compliance.
However, there is a danger that companies get so caught up with spending resources on ensuring they are compliant with rules and regulations that they don't target their resources where they can make the most difference. For example, the loss of data from the Target breach, that was revealed in November 2013, was substantial and resulted in the leaking of over 100 million PII records. And while there were many failures at Target, they were compliant with major rules of the time. For example, they were certified as compliant with the Payment Card Industry Data Security Standard (PCI DSS) standards just two months before the breach.
Compliance is important. Boards and senior management are closely monitored on such things and non-compliance can lead to fines or even harsher legal action should something go pear-shaped.
The challenge is to integrate compliance into your security posture rather than make it a stand-alone set of rules that are managed in isolation of the rest of your infosec strategy. And, if you're a multi-national company that needs to comply with multiple regulations then there are even more challenges.
Have a focal point
The good news is the GDPR is probable the most stringent set of rules you'll need to comply with. One of the roles the GDPR requires is someone who is designated the Data Protection Officer (DPO). That person is the go to person for GDPR compliance. That's a role that ought to exist in every organisation. Even if you're a small company, having one person as the focal point for privacy issues is helpful. Many companies have an OH&S officer - think of the DPO as providing health and safety guidance for your data.
Know what you have
I facilitate a lot of security events with major companies. And while some say they have a strong handle on what data they have, many say they struggle with "data sprawl" - where information that should only be stored in a central, managed system ends up being copied to other places for convenience.
It's important that businesses look for the nooks and crannies where data is hiding. And then ask why it's being copied around and put steps in place to assist users with meeting their business needs in a secure way.
The problem is rarely caused by users who want to simply circumvent procedures and processes. It's more likely that the existing systems don't work to support business processes.
Plan and practice your communications system
When you're looking at where your data is stored, think about who you'd have to notify if a breach occurs. Do you have contact details for all your staff and customers? How is it kept up to date? What about your communications plan for an incident? Is it up to date and has it been tested?
Update processes and systems so compliance is easy
Compliance with the GDPR and other rules should not be about adding a bunch of new obligations to your existing business processes.
You can make systems and processes compliant without adding complexity. New rules such as the NDB and GDPR are an opportunity to look at existing processes and practices and improve them.
Rather than see compliance as a problem, it can be an opportunity.
Stay risk focussed
One of the problems a commitment to compliance can create is a loss of focus on real risks. While non-compliance with laws is a serious issue, you still need to ensure you're keeping an eye on the security risks facing your business.
Most of the news rules that are being enacted globally are heavily focused on PII. But protection of intellectual property, disruption of your operations from ransomware and financial loss through business email compromise remain significant issues.
Don't take your eye off the risk ball when playing the compliance game.