11 months ago


IT asset management THE

IT asset management THE CLOCK IS TICKING… WITH THE NEW EUROPEAN GENERAL DATA PROTECTION REGULATIONS SOON DUE TO BECOME LAW, MANY BUSINESSES WILL NEED TO LOOK CLOSELY AT HOW THEY PROTECT THEIR DATA THROUGHOUT THE COURSE OF ITS LIFECYCLE Any business that stores data on EU citizens will become subject to the new European General Data Protection Regulations (GDPR), to take effect by early 2018. Even the UK, post-Brexit (voting wise, at least), must comply. This has the potential to impact a broad spectrum of both EU and international companies. With the potential for huge fines (up to 4% of global turnover) will this see companies becoming more mature in their attitudes towards data protection and, if so, what methods will they need to adopt to achieve regulatory compliance? Richard Brown, director EMEA Channels & Alliances at Arbor Networks, says that the main barrier with the EU GDPR lies in the understanding of this new legislation. "Changes to the definition of what is and is not personal data, the need for 'explicit' consent for data collection and different documentation requirements all need to be interpreted and any relevant changes made. It will also require process documentation to be regularly audited and updated, as in many cases documentation is created, 'put on the shelf' and then forgotten about. Finally, there will need to be a process put in place for the notification of any breach to the relevant authorities and customers." Some of these changes, he points out, may incur additional costs to business, while others may reduce overall costs, such as the unification of regulation, but getting a good understanding of this is still a work-inprogress for many organisations. "For providers outside of the EU who currently handle personal data on EU citizens, this will be more complex, as they will have to ascertain whether their local data-protection legislation is compatible with the GDPR. With appropriate assistance from national governments, organisations should be able to comply with the legislation. "As with all regulations, it is important that organisations maintain their focus on the 'goal', rather than purely on compliance," Brown adds. "The impact of data breaches to both business and the end user can be significant, and businesses need to invest appropriately to protect themselves and their customers, not just comply with the legislation." MANY UNPREPARED According to Rob Norris, director of enterprise and cyber security in EMEIA at Fujitsu, the majority of organisations are not yet preparing for the new legislation. "GDPR readiness will oblige organisations to carry out thorough preparation, to set up the processes necessary for compliance, as well as supporting alignment of their systems and services with GDPR's requirements. That's why we recently announced a comprehensive portfolio of services to help organisations comply with the new legislation. This includes implementing contingency measures, as well as establishing both GDPR-related strategies and clearly defined processes in how to detect and react to data breaches, he says. "GDPR will apply to organisations of all sizes and in all industry sectors, and not just those within the EU, so it's important companies "Businesses need to invest appropriately to protect themselves and their customers, not just comply with the legislation." 22 computing security May/June 2017 @CSMagAndAwards

IT asset management take the first step and conduct data inventory scans to help discover the relevant data held today and where it resides. "As well as this, organisations must take responsibility, whether they are private or public sector, and take the fight to cyber criminals before they can act," Norris advises. "This should be done through real-time threat reporting, a clear and well-rehearsed incident management plan, and addressing internal and external communication, in addition to containment and recovery activities. This will allow businesses to identify threats as soon as they hit the network and rectify them immediately." "Now is the time for businesses to stop being hunted and instead become the hunter when it comes to cyber security," he adds. "Ensuring a compliant business environment, that will help protect the company and its employees, needs to be the number one priority." MAJOR CULTURE SHIFT GDPR is forcing a culture shift in the industry as it puts the responsibility firmly on the businesses that hold customer data, comments Alex Guillen, go-to-market manager at Insight. "There are two sides to what will engineer this shift - the first is prevention, which will be shaped in the preparation phase before the regulations come into play. For most organisations of all sizes, this will mean establishing the critical data they need to protect and identifying where it resides and the value it holds. Once established, we'll see organisations creating security strategies and policies for the end-toend management of this data, with a particular focus on governance. "When it comes to securing the data itself, we expect organisations to lean on consultancy services to help them navigate the best provider in what we know is a crowded market. A priority for businesses should be to look for holistic solutions that can ensure the integrity of the data, rather than throwing money at the problem and creating a patchwork of ineffective tools, as has been done in the past." There are a number of hurdles that organisations will need to overcome, including the significant problem of dark data. According to Veritas' 2016 Databerg Report, dark data will prove the biggest challenge for most businesses preparing for the new GDPR. Why? "On average, 54% of the data held by organisations in Europe is considered 'dark data' - that is, operational data that isn't being used by an organisation," explains Guillen. "It's a tough one to prepare for, because organisations don't tend to understand the nature of their data and we expect, or hope, to see businesses using the time before 2018 to get to grips with it." RISK APPETITE Once the regulations are in force, it will take a few cases to build up case law and assess how various aspects are interpreted before there is a full understanding of the implications, suggests Graham Mann, managing director, Encode Group UK. "Depending on the severity of the fines, organisations will be better positioned to assess their 'risk appetite'; but, given the potential fines, it could be a risky strategy. Punitive fines are only one of the powers wielded by the supervisory authorities: they can undertake audits, issue warnings or demand myriad corrective action. In short, they have the power to seriously disrupt your business and leave you with a rap sheet." 'It wasn't me, guv' is no defence, he adds. "Data controllers and processors have dual liability under GDPR and so there's nowhere to hide. Therefore, it's vital that data controllers vet their processors carefully. Corporations will now have to define and implement a data strategy throughout the organisation. More importantly, they must think carefully about whether they need to store certain data, because there is now a defined cost. This will avoid consumer data being held unnecessarily Graham Mann, Encode Group UK: Punitive fines are only one of the powers wielded by the supervisory authorities. Michael Hack, Ipswitch: two areas to focus on are technology and training. @CSMagAndAwards May/June 2017 computing security 23