Microsoft president and Chief Legal Officer, Brad Smith delivered a keynote speech during the recent Microsoft Inspire conference in which he said,
“GDPR will be important to your business — whether you have offices in Europe or do business with Europeans. Frankly, GDPR will be important to your business even if you’ve only just heard of Europe.”
The European Parliament introduced the GDPR to better protect the data of European citizens, meaning all foreign companies that process the data of EU residents are subject to enhanced regulation. Given the impending timeline — GDPR goes into effect in May 2018 — organizations must start building security into product and processes now.
Easier said than done.
Security Gets Harder By the Day
Smith went on to talk about the cyber-dangers we navigate every day — rolling waves of data breaches, viruses and malware attacks, many of which come in primitive digital packages, emails and links. For someone like me who’s spent the greater part of the last 20 years talking about online privacy and security, it feels very much like we’re going back in time.
But as Smith noted, “Every company has at least one employee who will click on anything.”
So what are we security and privacy people to do, faced with a world of enemies? Our potential adversaries could be nation states, malicious hackers, teenagers with too much time on their hands, or (most realistically) employees making careless decisions. How can we help protect our companies from and prepare them for the inevitable breach? How can we help build trust for both our employees and customers, confirming we’ll protect their personal information?
And finally, how can we mitigate the likelihood we’ll become embroiled in a situation that may result in one of those staggering GDPR fines?
4 Best Security Practices From Microsoft Partners
This week as I spoke with Microsoft partners about how we should think about security as a service under GDPR, I distilled our conversations into four best practices:
1. Understand and Optimize Your Data
Nearly all regulatory requirements and industry standards focused on privacy, data protection and security begin with the principal of understanding the data you have. While that sounds simplistic (and hopefully like good common sense), it’s a lot harder to put into practice than you might think.
This practice directly contradicts standard business practices and the habits of most end-users, who instead are accustomed to life as data hoarders. In my recent column on file share analysis, I wrote extensively about the problem with dark data — operational data that’s not in use — as well as the risk and opportunity this may create for a company.
Under the GDPR, systems integrators, consultants or even internal IT staff should take the time to establish data cleansing programs. Analyzing, pruning, and then, finally, optimizing your data — while an arduous task — will pay off in greater productivity, improved performance of your IT systems, reduced storage costs and ultimately reduced privacy and security risk.
2. Implement Good Data Lifecycle Management
Closely associated with data optimization is data lifecycle management. For all of you unsung heroes of records management — now is your time to shine.
GDPR mandates not only a reasonable legal basis for collecting data, but also mandates purpose limitation. In other words, you should only keep the data you collect for the length of time in which you have a legal or contractual basis to do so.
Here’s an example — if I sell you a software subscription for a one-year period and I collect your data to provide technical support, but at the end of the year you do not renew your subscription, according to GDPR, I should eliminate that data from my system. This sounds an awful lot like good records management practices, and presents a huge opportunity for data lifecycle management solutions companies.
3. Conduct Planned Cloud Migration Around GDPR Best Practices
There’s no better time to start thinking about GDPR compliance than during an IT implementation or transformation. If your business is planning to retire legacy data and move an on-premises infrastructure to the cloud, then work in a data cleanse, which will be required in just 10 months under the GDPR.
Companies planning a move to the cloud should take advantage of the opportunity to do so in a smart and compliant manner.
4. Live by the Babysitter Rule
The “Babysitter Rule” is the most fundamental rule under the GDPR. Think about what would happen if you set a curfew for your teenagers and then went away for the weekend. Those kids’ timely return to your house is questionable at best.
In a similar vein, organizations should resist setting policies and procedures they can’t enforce. Focus instead on doing what you say, saying what you do and having the ability to demonstrate your technical controls to the Data Protection Authorities.
Get to Work
Whether you work for a company planning its own GDPR strategy or you’re a consultant looking to help others with their plans, the time to act is now — and the business opportunity is significant. Failure to implement appropriate programs may result in great financial harm.
But perhaps more than anything else, the controls outlined in the GDPR are what’s right for us as consumers. With 1- months to go and counting, there is truly no time like the present.
Learn how you can join our contributor community.