Coming to a network near you…
President, Europe, Middle East, Africa and Russia
It’s a hot topic, some are ready for it and others are starting to realise it’s not far away…what am I talking about?
For the uninitiated, GDPR is the forthcoming EU General Data Protection Regulation (GDPR), which will come into force in just over a month - on May 25th 2018. In short, it’s a new set of rules designed to simplify data protection laws and provide citizens across all EU member states with more regulation around their personal data – which can also extend to IP addresses, MAC addresses, and biometric data.
This new Regulation is designed to bring greater consistency to the data protection landscape in Europe and, with that, comes a significant increase in potential fines and costs – up to 4% of annual turnover - for those organisations who contravene it. And, whilst this has been conceived in the EU, one of the biggest changes is that this law applies to any company who processes personal data of people located in the EU. Consequently, it impacts those organisations located outside of the EU who provide goods and services to customers in member states and, in doing so, use, transfer and monitor customers’ personal data to transact business.
Although many of the GDPR principles are not new, the increased levels of accountability and potential fines represent a major shift in how companies need to consider protecting personal data. In an evolving digital world, we know that the threats to our data are ever-increasing and the way in which data is stored and managed can have far reaching, and potentially detrimental, impacts on companies’ reputations and revenues.
With predictions that 20 billion devices will be connected to the network by 2020, the huge increase in data is inevitable and more rigour around how it is captured, analysed, processed and managed can only help to mitigate possible threats and foster innovation.
The network is the only place where all this data traverses and converges and, therefore, it’s critical that all organisations have the best visibility, analytics and protection.
Which begs the question - are you ready, is your network ready and how can you prepare?
On the topic of data, recent studies have uncovered a myriad of statistics on GDPR readiness but the general consensus is that the majority of companies – around 60% - are not fully prepared. So, what steps can be taken to ensure your organisation is GDPR ready?
1 - GDPR requires every organisation to know its data. It’s vital for companies to understand what personal data is held, for what purpose and for how long, and to keep a record in case of access requests from both individuals and the authorities.
2 - Data should be assessed and managed. Once companies know what data they have, they must assess the gaps between the intended outcome and the privacy requirements. Solid vendor management is also crucial here since companies are responsible for their own supply chains which, in turn, use customer data on their behalf.
3 - Protecting and Securing - on the topic of security of data, GDPR declares that, ‘state of the art’ security measures need to be in place to help companies protect, detect and be resilient in case of an attack. To do this, a comprehensive security architecture is a necessity, one which also complies with other important data breach requirements. Under GDPR, it is mandatory for a company which suffers a data breach involving personal data to notify the authorities and, in certain circumstances, impacted individuals within 72 hours of an occurrence. If an organisation does not have the technology and processes, coupled with a clear understanding of their data, then it becomes a daunting – if not, impossible - exercise to achieve this.
4 - Research and being aware: a data protection programme, which is not shared and followed by a company’s workforce, is simply not sustainable. Awareness is key. In addition, and most importantly, protecting individuals and personal data is everyone’s responsibility - it starts at home and continues in the workplace.
The Directive on the security of networks and information systems (NIS Directive) has spent less time in the spotlight but includes more stringent security requirements than the GDPR. Due for transposition into EU countries’ law a couple of weeks earlier on 9 May, it details specific security requirements for systems and networks in critical infrastructure sectors like finance or health, as well as for cloud providers and other digital service providers. Moreover, it broadens the scope of reportable incidents beyond data breaches to those impacting the confidentiality, integrity or availability of the services themselves.
We all need to be vigilant and mindful of these new laws and, within Cisco, we, too, have been making progress to ensure our readiness.
How is Cisco ready?
One of the key requirements of GDPR is to include data privacy principles at the design phase of any data centric solution or product development lifecycle with our Privacy Engineering methodology. Our solutions – including Spark for Collaboration and Umbrella for Security - all ready to meet the new GDPR and privacy requirements.
As a company, we have also had the Binding Corporate Rules approved by the Data Protection Authorities. For those not familiar with the terminology, it means that authorities have looked at our own processes and policies on how to protect both HR and customer data, wherever they flow within our global organisation, and declared that they are in compliance with privacy principles and aligned to GDPR.
Our own technology, of course, helps us to comply. For our customers, Cisco’s security portfolio can assist in building a comprehensive architecture - necessary to respond to the data threat challenges, and to the clear requirements of the new laws.
To find out more about Cisco’s position on GDPR and how we can support your GDPR journey - as well for a whole host of useful resources - visit trust.cisco.com.
GDPR is coming!