[ericho]

The GDPR law will be effective in May 2018 and China has passed their Cybersecurity Law recently. With all these cyber security regulations in place, will the companies complying to these law be more secure in the future ? Thoughts ?

Topic

[ednode]

Not in the near term. At the moment firms are struggling to classify data properly. That essentially is the first step to understanding what security needs to be put in place but when GDPR goes live the focus will be on mapping and classification of data.

In time, yes it will help. If we know what the data is we can understand the data most susceptible to attack as well as the type of actors and methods most likely to be used.

[ericho]

Agree. In the first 1-2 years, the IT and Security teams will be overloaded with the compliance activities. As a result, some of the essential security investment would be delayed or deferred due budget or resources issues. This make the organization more vunerable to different type of cyberattacks. There should be longer grace period such that the industry have enough time to nurture enough experts in this field.

[vasolrac]

I agree with the fact that either IT and/or the organization’s risk mitigation team will be busy classifying data in order to take full advantage of new governance tools meant to comply with GDPR.

I do think the GDPR is a positive step in security. For instance, I am happy to see Microsoft rolling out the HYOK (hold your own key) encryption ability for their Office 365 users (end to end encryption for email). Big orgs like Microsoft, Google and Box have European citizens as clients and will need to comply with GDPR. The nice things is that US customers will be able to take advantage of the new security features being rolled out sooner than later.

But the first step is data governance, clean up and classification – with leadership buy in.

[llem]

Over time the GDRP could achieve the objectives by establishing compliancy, protecting personal data, and establishing assessment measures to maintain compliancy. These are three major elements and I agree with the posts so far that there is a lot of work behind the scene to bring these ideas online. This is a step in the right direction, while I think global diplomacy amongst the major participants will still be a challenge. What do you think?

[cyberpichu]

Privacy and security are not mutually exclusive capabilities – from what I’ve observed, an organization cannot demonstrate privacy hygiene by discounting security and data protection controls.
GDPR provides the rigor for organizations to identify the personal information relevant to their environment (such as physical identifier, social identifier, genetic identifier etc.) and associated business processes, systems and applications that process those information (Article 30 in GDPR). This insight is a starting point for many organization to catalog their critical systems and applications and evaluate their privacy and data protection controls. Of course, beyond the compliance aspect, organizations should focus on leveraging the data mapping results and managing defensible data protection and information security hygiene overall.

[disabatom]

Companies will reply to GDPR based upon the cost of compliance and the cost of non-compliance. With the fine for non-compliance being up to 4% of an enterprises prior year’s revenues, the potential cost is huge. But only in so far as it is demanded. There are many penalties for not having ‘good’ security and privacy practices, but there have not been many firms told they need to pay any sort of penalty for non-compliance. In the instances where there have been, they are most likely viewed as the cost of doing business.

[rballeste]

According to experts in international privacy law, GDPR standards will benefit internet users, and this perhaps should be exported from Europe. How long organizations will need to fully implement it? Is there a significant financial impact? Thank you for your feedback.

[marislan]

I agree that GDPR by itself will not in the short term make data more security, especially in large companies that have not been disciplined with basic tenets of data governance because these companies are currently working to just classify the data. Classification, in my experience, is just the first step. We can use GDPR as leverage to drive privacy and security initiatives which must be integrated into larger governance programs.

[packerman007]

Thanks for sharing these insights. I question whether many US companies will be in compliance with the EUs GDPR by mid-May (25th) 2018. Much due to over-committed resources and prioritization by the organization that may not fully understand this new EU regulation and its impact to the business.

[packerman007]

Thanks everyone for your insights regarding the impact the EUs new GDPR regulation will likely have.
GDPR in the Healthcare/Life Sciences industries within the US may still have a great deal of work left to accomplish complying with the mid May 2018 timeline meeting the requirement(s).

There are some videos and framework documents here: http://www.itgovernance.co.uk, http://www.itgovernance.co.uk/shop/p-1830-eu-gdpr-a-pocket-guide.aspx
https://www.itgovernance.co.uk/shop/product/eu-general-data-protection-regulation-gdpr-documentation-toolkit

[packerman007]

Some of the questions pertaining to the GDPR regulation, among others:

Does the company understand its data footprint in the European Union (e.g., data about employees, consumers and clients)?
The company’s preparation providing evidence of GDPR compliance to EU or US privacy regulators, during an assessment/audit?
The company’s overall framework for GDPR compliance? How aligned and integrated with other regulatory systems, e.g. Quality Management Systems (QMS)?
The company’s Data Protection Officer (DPO). Does the company have this role defined? Is this resource the Data Integrity Office as well?`

[marislan]

@packerman007, are you defining the Data Integrity Office as the group accountable for data quality? If so, at our organization, that is separate from our Data Privacy Group. We actually have Security and Privacy in separate groups and I oversee data governance which includes security and privacy as well as data quality. I actually believe we would make more progress if we brought all through groups together under a Chief Data Officer.

[ks75020n]

The impacts & insights on how would CS revolve around nations in Europe post BREXIT & the GDPR law coming into force May 2018 has some really interesting facts to reveal.

https://www.checkmarx.com/2017/04/27/brexit-effect-cybersecurity/

• This reply was modified 3 years, 3 months ago by ks75020n.
• This reply was modified 3 years, 3 months ago by ks75020n.

[jreade]

Here is an recent article on GDPR and data localization and the impact it will have on Cloud. I thought this discussion might find it interesting.

https://www.scmagazine.com/gdpr-and-data-localization-the-significant-and-often-unforeseen-impact-on-the-cloud/article/718552/

• This reply was modified 3 years, 3 months ago by jreade. Reason: Edited link to open in new tab and no longer redirect first

[frederik]

For the China part of your question, I’ve been in touch with the Chinese culture a little bit over the last years.

Having laws in place will not necessarily make Chinese companies more secure…

One of my (Mainland Chinese) CEO’s (in a multi billion USD turnover and multi million USD profit) company literally said when I requested a tiny budget (20K USD) for cyber security: “We have never been hacked, we don’t need that, why would anyone want our information!”

A few months later we turned out to be hacked already… we only got the go ahead to invest close to half a million in cyber security 6 months after that hack…

Chinese habits of using pirated software, high levels of pride and negative thoughts or emotions not to be spoken out loud, will make it more tough to secure.

Of course there will be numerous examples of very well organized and structured companies in China as well!

[leeh]

If the question is “will the companies complying to these laws be more secure in the future?” I think that the answer is arguably yes! I agree with most of the comments that businesses have a lot of work ahead of them to classify data that needs to be protected, to put in place systems to protect the data, and putting a DPO in place (among other necessary activities). However, even starting down this road and starting to look at these issues will put many businesses in a more secure position in the near future. Will they be compliant and more secure by May 2018? Probably not, but the GDPR has opened up many needed discussions in the past six months. Additionally, the potential for large fines if you are found in violation of the GDPR gives many businesses a financial incentive, that they might not previously have recognized, to invest more time and resources into data security and protection.

• This reply was modified 3 years, 3 months ago by leeh.

[nquinn]

I do believe it will make company information more secure although it may take a while to see the value of it. Implementing the standards will be challenging. One of the interesting aspects is the data localization in light of cloud platform popularity. Keeping data within a countries borders and yet many vendors use data centres in different countries.
Another aspect of the challenge coming will be for non EU vendors. US companies such as our own will need to implement the same standards when working with EU data and localized.

See jreades post above with a link to a great article on Data Localization

[agb83]

No doubt will make information more secure. However, this will take time as unfortunately many organisations specially those outside EU but handling data of EU subjects, are still far from implementing and getting up to date with the new regulation.

[msiro]

@packerman007 with regard to the question “The company’s preparation providing evidence of GDPR compliance to EU or US privacy regulators, during an assessment/audit?” the first evidence is surely the “Record of processing activities” ex art. 30 GDPR that is also the first document to be drafted when assessing the compliance to the GDPR.
A second evidence is the performance of Data Protection Impact Assessment “if the processing is likely to result in a high risk to the rights and freedom of natural persons” (Art. 35).
The French privacy Authority CNIL has just released a free software for carrying out the DPIA activities available here:

https://www.cnil.fr/en/cnil-releases-free-software-pia-tool-help-data-controllers-carry-out-data-protection-impact

[aksver]

Most best practices that are recommended by the GDPR are already recommended as the echelon of best practices that companies are to follow. The suggestions for pseudo-anonymization and maintenance of data protection personnel are good practices that are being imposed and the impact as widely discussed in the forum above is extra-territorial. Since I am from India I thought it would be pertinent to mention that the Data processors in India as well as scrambling to comply with the provisions and the way in which the regulation has been structured to not only include best practices from a prevention but also a risk mitigation perspective can have a major impact on the way cyber security is dealt with. GDPR has also brought attention the boards which is a welcome impact, therefore from a policy perspective that would augment an organization’s stance and practice the GDPR has a far reaching impact.

[barlas]

As in other compliance programs, the beginning years are more testing than bite. There will be some early adopters, There will be companies that test their limits. We will see how serious the EU takes this after May.

[edlimxs]

I think it will and it is a great step in the right direction. GDPR focus more on the process of handling data which many think is correct. As people are often the weakest link in any security scenario, governing the way data is being handled is the best way.

[msiro]

I don’t think there’s space for “early adopters” nor what the EU will do. This is a regulation (not a directive) therefore is self-executing in every EU Country without the need to be made national law.
In Italy, for example, the control regarding the privacy laws are made by the “Guardia di Finanza” that is a sort of Tax Police: the Italian Supervisory Authority (“Garante Privacy”) and the Guardia di Finanza keep saying that from May 26th they will start to control and that fees will be important for those not compliant. The same goes in France and UK.

[jreade]

Here is another recent article from Forbes on GDPR Compliance and the importance of Information Governance. https://www.forbes.com/sites/forbestechcouncil/2017/12/06/if-gdpr-compliance-doesnt-start-with-information-governance-youll-probably-fail/#348d36042e1e

The Compliance, Governance and Oversight Council (CGOC) has developed the “Information Governance Process Maturity Model” to help organizations understand the strategies, processes and technologies required for an efficient governance program. Other important resources include the Electronic Discovery Reference Model (EDRM) and the Information Governance Reference Model (IGRM).

• This reply was modified 3 years, 3 months ago by jreade. Reason: Defined CGOC

[risonhaug]

The GDPRegulative that kicks in, have made all the US software and consultant firm targeting the European marked in a massive way. I see little smartens in how they try to “help” but mor into increasing earnings.

The only way that GDPR will make information more secure is, now IT and LOB will get “new” money and resources to do some real lift in information security. Historically infosec in Europe has been updating Endpoint security and replacing firewalls – but never read the logs.

While the US marked have been heavily investing ing e.g. DLP, most European leaders dont have clue what its about, now they have to wakeup

[Author]

Replies