After years of discussion, the European Parliament adopted the General Data Protection Regulation (GDPR) on April 14, 2016.
The EU GDPR brings in new obligations to companies that handle information belonging to individuals and this will come into effect over on Friday, 25th of May 2018.
Under the EU GDPR there will be a number of new rules for companies such as companies who process a lot of personal data will be obliged to appoint a Data Protection Officer, to carry out risk assessments, to implement data protection by design, to implement appropriate systems to minimise risk, to notify authorities within 72 hrs of a breach and most importantly to understand where all the subjects person data resides and protect accordingly, and there will be fines for companies who are proven negligent in the case of a security breach.
The new EU legislation is set to make reporting of breaches mandatory and with potential fines for non-compliance of up to 4% of Global Turnover or €20M, not knowing what is happening within your IT systems is no longer acceptable.
Zinopy held a seminar on Sept 1st 2016 at the Dean Hotel in Dublin focused on the EU General Data Protection Regulation (EU GDPR) and how businesses can prepare for it. Our panel of speakers included experts from Deloitte, Ronan Daly Jermyn Solicitors, Information Security Assurance Services, IBM Security, Citrix and Zinopy. The seminar provided organisations with essential insights into the EU General Data Protection Regulation (GDPR), practical guidance and covered what organisations can do on the ground to improve data governance, reduce the risk of data loss and lower compliance costs.
Now is the time for organisations to take action to protect their data and that of the citizens of Ireland.
Over the past six years, research has consistently shown that the following general steps are correlated with top performance at safeguarding sensitive data:
- Identify and classify your data – you can’t manage data you don’t know about, and not all data is worth the same level of protection
- Prioritise your security control objectives for these information assets as a function of risk, audit, and compliance requirements (another way to think of data classification)
- Establish consistent policies as part of an overall approach to safeguarding sensitive data, wherever it may flow – at rest in the back-end, in motion on the network, and in use at the endpoints
- Empower end-users through ongoing awareness and training; transform behaviour and culture by integrating data classification into day-to-day workflow by providing the users with the tools to classify their documents
- Close the loop through regular review and analysis of the information from management, auditing, and reporting systems, and communicate the results and trends to the owners of the business risks for the confidential information and intellectual property that is being protected
There is a general perception that implementing document classification can be an onerous and disruptive process, whereas if you engage with a subject matter expert and deploy the correct methodologies and tool sets, it can be a painless and very rewarding undertaking.