With the implementation deadline of the General Data Protection Regulation almost upon us, your business is set to be impacted by one of the most wide-ranging pieces of EU legislation passed in recent memory.
Even if your business has been busy preparing for the GDPR for months, it doesn’t mean that you can afford to sit back once 25th May comes around. For a wide range of reasons, it’s vital to continue to monitor your organisation’s compliance, particularly when it comes to data security.
Why it’s important to continually assess your security posture
Being able to identify and respond to exposures across your organisation’s IT environment is vital to upholding a robust cyber security posture. Among the requirements of the GDPR, to help mitigate threats, is a need for businesses to regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of data processing. Procedures for detecting and investigating personal data breaches are also mandatory.
Risks to your business evolve on an almost daily basis and mean that it is vital to keep pace.
Five key factors affecting on-going GDPR compliance
1. The scale of your business’ data processing is only likely to increase
As your business grows it’s likely to process more and more data pertaining to employees, customers and partners. In order to respond to changing operational and industry requirements, different types and/or categories of data may need to be collected.
To successfully maintain GDPR compliance you need to ensure that your business has a legitimate purpose for processing all the personal data it amasses and ensuring that appropriate safeguards are in place to fully protect it.
2. The attack surface is growing
Business growth, changes to IT infrastructure and adoption of new technologies are continually widening the surface through which cybercriminals are able to attack your business.
Cyber security assessments are important for identifying and helping to address hidden exposures. As a rule, tests should be performed regularly, including at the outset of business projects and deployment of new systems. Embracing privacy by design can help to identify and mitigate exposures from an early stage.
3. Attacks are increasingly difficult to detect
In order to successfully compromise your business, cybercriminals continue to develop new ways to evade your defences. Despite offering a base level of protection, traditional preventative security such as firewalls and antivirus are ineffective at stopping persistent human assailants capable of thinking outside of the box to identify and exploit new vulnerabilities.
Being able to detect attacks requires your organisation to stay abreast of the latest offensive security techniques. This includes aggregating the latest intelligence, utilising state-of-the-art security tools and possessing the in-depth insight and visibility to detect and respond to anomalous activity in its infancy. Over the coming years, SIEM, AI and machine learning technologies are likely to be instrumental in helping to protect your business and the data it holds.
4. Turnover of staff
Ensuring that all your staff understand the importance of data security and stay knowledgeable about the of the latest security risks is a key way to help maintain GDPR compliance. As employees come and go, it’s important to ensure that new starters are informed about your security policies, that existing staff undertake regular training, and access control policies are regularly reviewed and implemented.
Be aware that if your data processing activities evolve to the extent that they cover large scale, regular and systematic monitoring of individuals and/or incorporate the handling of special categories of data, your business will need to appoint and train a Data Protection Officer (assuming that it doesn’t have one already!).
5. Interpretation of the law will continue to evolve and be challenged
While lawyers and technologists spent a great deal of effort making the legal text of the GDPR as inclusive as possible, accounting for all data processing scenarios is impossible. Grey areas and ambiguities in wording are likely to continue to be pored over beyond May 25th, with some conditions and definitions likely to be the subject of legal challenges. All legal developments will need to be followed closely as precedents may impact the way requirements of the regulation and the way that they are applied.
The impact of Brexit is likely to keep data protection at the forefront of public discussion in the UK. While the Data Protection Bill, set to be enacted from March 2019, will enforce GDPR standards upon all organisations, its requirements may be subject to change over time.
How Redscan can help keep your GDPR data security up to scratch
Regardless of future business, technological or regulatory challenges, Redscan can help your organisation to continually improve its data security. Our range of award-winning security assessment, detection and response, and cyber consultancy services are designed to help support and optimise current in-house capabilities.
From CREST accredited penetration testing designed to identify risk across your infrastructure, networks and applications, to Red Team Operations designed to simulate real cyber-attacks, our ethical hacking engagements not only help to identify hard-to-detect vulnerabilities but address them too.
To improve breach detection and response, ThreatDetect™, our flagship and award-winning managed detection and response service, provides the 24/7 cyber security operations centre experts and latest cutting-edge technologies and intelligence to swiftly detect and respond to threats across networks and endpoints.