May 4, 2018

May the fourth (and the 25th) be with you

Carl Leonard Principal Security Analyst

Today, May 4th, I write this article to stress that we are just three weeks away from the date that General Data Protection Regulations (GDPR) will be enforced. I hope that organisations around the world are making their final preparations to be ready for the 25 May 2018 milestone in privacy legislation.

What better day, May the 4th, to take inspiration from Star Wars as we continue our GDPR journey.

“Ready are you? What know you of ready?”
      — Yoda to Luke Skywalker [The Empire Strikes Back]

The good news is that organisations have been making preparations in readiness of GDPR for many years. Some may have been working towards the May deadline for months but are making good progress in increasing the transparency of why they collect and how they process personal data, are understanding the data they do hold, how to secure it and how to respond to a breach.Others may not be so ready if a breach were to happen whether tomorrow or post-May 25th. The key to GDPR is that the May 25th date should not be seen as a deadline.  Organisations will need to continually adjust and improve their security going forwards as an increasing number of privacy and data security regulations come to bear.

Within the business community I feel a profound sense of urgency building around GDPR.  While at conferences this year I see many entities both small and large struggling to rush out enhancements to the visibility of data and the security of that. Many are now realising that the reach of GDPR is broader than the EU countries out of which the regulations originate.  If you hold data on European residents you must adhere to GDPR wherever your headquarters or datacentres might be located.

While there remains uncertainty around the consequences of being in breach of the GDPR requirements the potential impact of fines as much as 4 percent of global revenue has spurred action across legal teams, IT teams and newly appointed Data Protection Officers. As organisations notify their supervisory authority of breaches post-25 May their peers will be looking closely at the penalties issued and the reasons why.

We know that grey areas exist within the GDPR text.  It is no secret that the phrase “adequate” occurs multiple times but what constitutes an “adequate level of data protection” has yet been put to the test.  For those who haven’t yet made progress towards GDPR I urge you to carefully consider the implications on your business if found to be at odds with the ethos of GDPR.  Many businesses are now showcasing their GDPR-readiness to their customers in public ways such as via communication requesting those customers re-subscribe to items such as newsletters and check the personal data that is being held and processed.  Now is a good time as any to do this if you have not already.

GDPR has become a board-level discussion due impart to the potentially damaging consequence of fines incurred if found in breach of the regulations, the need to demonstrate a respect for privacy and client’s personal data and the desire to move to a higher plain of privacy and data protection.

To be ready for GDPR demands an appraisal and enhancement of people, process and technology.  As much as we would like there is no one technology or one supply chain tweak that will provide what you are looking for.  Only a holistic approach taking into account user education, an understanding of your supply chain, your data flows, your malware prevention capabilities and your data loss prevention capabilities (to name but a few) will put you in the right state of GDPR-readiness.

Once the mind-set to protect people’s personal data and be transparent about its use has been adopted across an organisation it becomes much easier to aspire to ever greater pinnacles of security.  GDPR, a significant milestone in consolidating the differing regulations across multiple countries, is likely to herald a new era of privacy regulations that will continually shape and improve how we all do business.

Do or Do Not - there is no Try

Possibly one of Yoda’s most famous quotes across the Star Wars movies we can apply this directly to GDPR.  It has become necessary for organisations to commit themselves fully to protecting the privacy of their clients and securing their critical data and intellectual property.  Drivers such as GDPR do not come around that often so I hope that organisations around the world take the initiative.

If you need further information on how Forcepoint can help you please see our GDPR Resource Pack.

May the Fourth Be With You.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.