The General Data Protection Regulation (GDPR) becomes law across the European Union on May 25, but most businesses within the territory are not ready to comply, placing themselves at risk of incurring stiff non-compliance fines. In the short time that is left, Managed Services Providers (MSPs) have a unique opportunity to help usher businesses into compliance through education and implementation.
GDPR requires organizations handling EU citizens’ personal data to secure that data regardless of a company’s headquarters location. The data includes any information directly identifiable with an individual, including name, personal address, email address and IP address. Compliance requires the implementation of technology, policies and procedures as prescribed by the regulation. Non-compliance exposes organizations to substantial fines.
GDPR preparedness is a major issue. Most organizations will not be ready come May 25, and even worse, many of them still will not have complied by the end of 2018. According to Gartner, the latter group accounts for more than 50 percent of companies subject to GDPR.
Meanwhile, the London Chamber of Commerce and Industry (LCCI) found nearly one quarter – 24 percent – of affected companies don’t even know about GDPR, and 21 percent of organizations still need to learn more about GDPR. And even among those that already know about it, only 16 percent are prepared.
MSPs providing managed security services to clients qualify as “data controllers” as defined by GDPR. As such, they share in the responsibility of implementing security controls to prevent, detect and report breaches. If one occurs, anyone affected by it must be notified if the breach has a high risk of exposing their personal data.
To help clients achieve GDPR compliance, MSPs should guide them through three phases of implementation. The first phase focuses on understanding the regulation, the data it covers, existing gaps in the required controls, and how to best protect that data and the companies that handle it. Here are four steps to follow:
Perform a data inventory – List all data that is collected, where it is stored and processed, using criteria such as department, system, administrator, data type, location and source.
Assess risk – Compile a Risk Register based on the risks associated with the relevant data, including datasets, the vulnerability of each set, threat likelihoods, impact threats and the recommended controls.
- Consult an attorney – Seek legal counsel for guidance on compliance as it relates to a company’s specific environment and industry.
The second phase covers the actual implementation of technology controls and procedures that reduce security breach risks. The Risk Register should be used as a guide to the necessary controls and amended to reflect the changes and how they affect breach likelihood and impact.
The third phase covers prevention and detection of personal data breaches, and how to comply with GDPR’s strict breach notification requirements. Relevant authorities must be notified within 72 hours and, if the breach causes a high risk of exposure to the person or entity, they also must be notified.
MSPs have access to tools that can help with every phase of GDPR compliance, including Unified Security Management / SIEM platforms that help quickly achieve GDPR compliance. The right platform will offer features such as 24/7 monitoring and event data cataloging, real-time alerts to detect and respond to threats, threat analysis and integrate threat intelligence capability.
The platform should provide easy deployment and management of security controls across private and hybrid clouds as well as on-premise environments. When a breach is suspected, it should facilitate quick investigation and mitigation to comply with GDPR breach notification time requirements.
Considering how fast the GDPR effective date is approaching, it’s inevitable that many companies will not be ready. But with help from MSPs who offer the necessary know-how and technology, many will be able to accelerate their compliance process.