Here are the policies that businesses must have in place to remain GDPR compliant, and meet best practices for data privacy.
The EU’s General Data Protection Regulation (GDPR) went into effect in May, requiring all organizations that handle the data of EU citizens to comply with its provisions regarding collecting and using personal data. However, a majority of companies likely missed the compliance deadline, and many employees remain unaware of the policies needed to keep data safe.
“Data privacy is a hot topic with GDPR going into effect,” said Dave Rickard, technical director at CIPHER Security. “An awful lot of companies may not think they have exposure to it, but there are lots of variables in that.”
For example, one online retailer Rickard works with has many customers from the EU, but can’t geolocate them from the website. Others don’t work with EU citizens, but have data processing and storage facilities there, which are also subject to GDPR.
GDPR will likely influence data privacy policies in other countries, Rickard said. However, cultural differences, particularly between the EU and US, may make this difficult.
“In the EU people are very centered on the perspective that ‘My name, my social security number, my passport information, everything that is PII about me, belongs to me. It’s part of my individuality,'” he said. “Whereas in North America, people have long since taken the perspective instead that data is currency. There are so many business models that are built on it. Data is money.”
The majority of companies that need to be compliant with GDPR are not yet, Rickard said. “I’d say compliance right now is only at about 35% or 40% at the most,” he said. “I think a lot of people are taking a wait and see approach.”
Some of the bigger players like Facebook, Google, and Amazon are going to be the canaries in the coal mine, Rickard said. “I think that they’ll have actions taken on them first, and people are going to wait and see if the actual GDPR penalties play out the way that they’ve been published.”
Companies that fail to comply with GDPR will face a penalty of either 4% of their global revenue or €20 million, whichever is greater.
Here are five types of policies that companies must ensure they have in place and have trained employees on in the age of GDPR, according to Rickard.
1. Encryption policies
Most companies lack policies around data encryption, Rickard said. “Most people who are data owners are unaware of whether their data is encrypted at rest or not,” he added. “GDPR is big on encryption at rest.”
2. Acceptable use policies
An acceptable use policy should covers things like what applications are allowed, what web searching and social media habits are appropriate for the business, and the potential threats to brand reputation, Rickard said.
3. Password policies
Passwords remain a common digital entry point into an organization for hackers. Even if, in the best case scenario, employees use complex passwords that are changed often and not shared, human error and carelessness can still put a business at risk. “One of the easiest ways to breach a company is to put somebody on the janitorial staff and go looking at desks,” Rickard said. “People often have Post-it notes on monitors with passwords on them.”
4. Email policies
IT should have an email policy in place that hardens systems and can detect spam and viruses, Rickard said. “The kind of information that can be disclosed via email should be spelled out very clearly,” he added.
5. Data processing policies
Companies need to do data process flow mapping to see what data is being collected, how it’s being processed, and who is receiving processed copies, Rickard said. “GDPR closes all those gaps,” he added.
Employee training is paramount for ensuring these policies are enforced, Rickard said. Raising awareness of the threat landscape and common vulnerabilities can help counteract human error.
“Security awareness and training is the cornerstone of any security program,” he added.