Security Partners Spotlight GDPR Regs As Deadline Nears, Data Protection Mandate Could Spur Cultural Changes
The countdown has begun, with less than a year until the General Data Protection Regulation (GDPR) takes effect, and solution providers said the clock is ticking for customers to get up to speed.
"If they haven't started yet, they have a problem," Andrew Howard, CTO of Switzerland-based global security solution provider Kudelski Security, said. "The deadlines are fast approaching."
GDPR officially takes effect on May 25, 2018 – one year from now - bringing new requirements and regulations around data privacy, collection, management, and more for companies collecting and processing data on European Union citizens. The ultimate goal is to create better data privacy and protections.
[Related: 5 Things Partners Need To Know About New GDPR Regulations]
The regulations apply to companies that collect data on EU citizens and those that process data on behalf of those companies. That means the new regulations could impact both solution providers and their customers.
Penalties for not complying are steep – ranging from a written warning to mandated regular data protection audits, to financial sanctions of up to 4 percent of a company's yearly revenues. The penalties are tiered based on what measure companies failed to meet.
For that reason, partners said they are making GDPR a top priority for their customers.
"There's not a company we meet that does not have this on their risk register," Kudelski's Howard said. "It's a pretty common topic with CISOs and CIOs about strategy. They're all talking about it."
Howard said there is a "heavy paranoia" by customers around how they are protecting their data, and if it will comply with the new regulations. Kudelski does a significant portion of its business in Europe, though the regulations will also impact the multi-national companies it works with. For most companies, he said it means a big shift in how they deal with their data, with major implications if they don't comply or experience a data breach.
"The issues that are important to CIOs and CISOs are important to us," Howard said. "As long as this stays on their radar and is top of mind to them, it is top of mind for us."
All these changes are expensive – costing a company "easily" hundreds of thousands of dollars, Howard said. The updates are also time-consuming, requiring assessments, technology updates, and on-going maintenance. He said that's particularly challenging for small and medium-sized companies, which also must meet compliance standards.
Much of the challenge in meeting the regulations comes from the GDPR wording itself, which broadly - and fairly vaguely - outline who must meet compliance, what compliance means, and what constitutes a failure to meet compliance. That attempted simplicity makes it extremely complex to meet compliance, Dawn-Marie Hutchinson, executive director of the Office of the CISO at Denver, Co.-based Optiv Security, said.
Hutchinson said the generalized requirements, rather than specific technical requirements, mean companies more generally need to have "data protection by design and default." That means mapping data flows, applying controls across data lifecycle, and building a strong data classification program, policies for lawful collection, data protections, and data destruction, she said.
Kudelski's Howard said most clients fall into four categories: some are doing a good job and are ahead of the curve when it comes to being ready to meet GDPR requirements; some are halfway to where they need to be but still have room to improve; some are halfway where they need to be but accept the risk of not meeting compliance; and others have not started at all. He said most clients fall into the category he called "pre-GDPR," where they do a good job protecting their so-called data "crown jewels" but need to expand that across their environment to meet GDPR regulations.
To get clients started, Howard said Kudelski first starts with a data discovery assessment and data classification. That can be a challenge, he said, giving an example of one recent client with more than a billion files to classify. From there, he said Kudelski works to help clients build data standards, policies, and implement data protection technologies. He said Kudselski has hired employees with expertise in data standards and data protection for these capabilities, as well as partnered with boutique security firms in Europe where necessary.
"As VAR players, we're trying to provide the holistic package, including the technology and advisory services, and supplementing that with specialized R&D if that needs to be done," Howard said.
Hutchinson said Optiv follows a similar strategy, starting clients with an assessment of their information security program, then doing data mapping, data classification, and third-party risk management projects. With all that work to be done, and the steep risk of penalties, Hutchinson said it is important for clients to consult with a trusted advisor, like a solution provider, to make sure they are meeting all aspects of the GDPR.
While GDPR is forcing companies to update their data security strategies in a big – and often costly – way, solution providers agreed that it is a good shift in the long run. Optiv's Hutchinson said the GDPR would force companies to undergo a "cultural shift" when it comes to security, focusing on data-centric security rather than architecture-centric security. She said that would "force a more holistic improvement to the data security program."
Kudelski's Howard agreed, saying the GDPR seems to put in place protections that will at a high level help the average consumer when it comes to data privacy.
"As a consumer, I certainly want companies that have my data to take care of it. As a business, you have an obligation to protect your customers. The hope is that the GDPR allows that to happen," Howard said. "Our job [as a solution provider] is to make this shift easier for clients."