Last week, in the wake of charges against Cambridge Analytica, as well as its collection of call and text histories on Android phones, Facebook announced changes in their privacy configurations and UI. These changes are designed to deliver more information and greater transparency to end users around management of their personal data. As a result, many are now contemplating how companies in general utilize, mine or manage personal information. And as GDPR regulations take effect in the next 60 days, practices on handling personal data will be subjected to stricter legal requirements.
GDPR requires any company processing, storing or utilizing data related to EU citizens to adhere to new laws, which could result in citations and fines if found non-compliant. Those fines could be up to 4% of your global revenue. This requirement is for both public companies and private companies that handle any information for EU citizens.... not just companies located in Europe. Any breach of this data will require organizations to report within a 72-hour timestamp, which is a short runway for complete response, and to have a remediation plan.
As these regulations take effect, EU citizens and organized parties will cite these requirements and request to be removed from the inventory of data. Facebook has taken a good first step in preparing to allow users transparency, it will be interesting to see if similar organizations follow suit. In addition, we may start seeing easier ways for end users to request that their information be removed from organizations’ entire data landscape, rather than just the ability to opt out of contact lists.
Most modern environments are extremely dynamic, and it is challenging to control data flows within them, especially given the expanding landscape of applications with cloud storage. Salesforce.com, Workday, even modern Agile software development tools such as Atlassian Jira store data within a cloud environment. Many IT organizations manage environments where people work off of mobile devices for the majority of their day, such as sales teams, field technicians and support, maintenance teams, and insurance providers. Now imagine you have to isolate where personal data is flowing within all the data as it is stored and moving across devices and through clouds. Preparing for GDPR can be a challenging undertaking, and it’s hard to know where to start within this complexity.
Forcepoint is working with organizations every day to help them prepare for these regulations – through discovering and identifying personal data within your business, protecting it through managing those data flows, and driving rapid response to breaches through investigating, reporting and remediating.
Companies will prepare for GDPR either proactively or reactively, and legal cases may revise the requirements over time. But given the potential hazards, creating a plan to prepare for these regulations to take effect seems like a great first step.