There is an old saying; “You can’t get where you want to go, if you don’t know where you are.” This also seems to apply to the European Union’s General Data Protection Regulation (GDPR). The deadline for compliance with GDPR is fast approaching; it will come into effect on May 25, 2018. The new regulations apply to all EU companies holding personal data on an individual in addition to those companies worldwide who hold personal data of EU residents.
Confusion about GDPR seems to be pretty consistent. A large number of bigger EU companies are (still) unprepared, and many SMBs remain in the dark. And in the US, businesses that have data connections to EU customers are scrambling to understand how GDPR will affect them and what they have to do.
ITProPortal.com sat down with a top security expert, Eyal Aharoni, COO of Cymulate, to get this thoughts on the current situation with GDRP. Cymulate is an Israeli-based company that provides Advanced Persistent Threat (APT) simulation that exposes current vulnerabilities within a security infrastructure.
1. As a security expert, what was your initial opinion on the rationale or benefits behind GDPR when it was first announced?
Like the rest of relevant stakeholders, I have mixed feelings about it. On the one hand, there is definitely a need for tightening security around Personal Identifiable Information (PII). But on the other hand, it requires significant investments for organizations to comply with this regulation.
2. What are your thoughts on how the EU went about the whole process of formulating GDPR and then getting the word out?
First of all, it is important to note that the EU started the right way by providing a long period of time for organizations to prepare for this new regulation. Secondly, the regulation forces everybody to achieve the same (cybersecurity) goal. However, I believe that the way it has been written could be less formal and cumbersome, and could have been written in a clearer, more concise way. The EU was faced with a huge challenge, namely “translating” the legal meaning into technical concepts. This has an impact on organizations that now need to comply but are not legal savvy and therefore need a more detailed and hands-on approach. A very important positive side effect of this regulation is, that it has created many new jobs and generated business for companies operating in a number of industries (such as consulting, security, and legal).
3. What do you think the biggest challenges are for larger EU companies regarding the implementation?
For larger EU companies, the challenges consist of getting users’ consent, managing their data records, and tracking all the changes. Nonetheless I believe that the EU itself will also face a major challenge, since it must verify the compliance level of organizations. Since there are so many organizations that must comply, the EU needs to allocate massive resources in order to just scratch the surface and assure that the set benchmark is enforced. The EU needs to allocate funds, followed by enough auditing personnel and stakeholders who are in charge of reviewing the results and requesting / enforcing improvement(s) where needed.
4. What are the specific challenges that SMBs face?
The major problem that these organizations are facing, is to allocate enough budget and resources in order to start managing the activities pursuant to the requirements. At times, this would also require adding new job positions, updating current applications, performing surveys and assessments, adding security services and capabilities etc.
5. What about US companies who are or will be affected by GDPR, where do you think they are with implementation at this point?
I believe that the buzz around this hot issue during the past couple of months has stirred the pot. US organizations are aware and have started to prepare. They know that they could lose money by ignoring the issue, so they are making efforts to comply. However, it is still not done on a large scale, and most companies are still not prepared to comply fully with the requirements of this regulation.
6. Generically or anecdotally, what are your clients experiencing right now; what are you hearing, about GDPR implementation?
We see that the attention of European organizations and firms are more focused on privacy and security issues than ever before. To say it clearly, it is the talk of the day. Some of our EU based customers are investing into this issue as a strategy, others more out of a feeling of panic. During discussions that we have with EU customers about our solution, we get many questions relating to privacy and security compliance. They ask, check and double-check until they are happy with the answers and demonstrations we give them.
7. What best practices do you recommend for companies struggling with the implementation or are just starting?
Since the deadline for complying is around the corner, the best approach is to manage it across the organization and dedicate a manager within the organization to handle this project. That manager should become familiar with the many available sources (some are free of charge). Once it is clear what is needed, the organization should decide if there is a need for a 3rd party consultant. If so, such a consultant must be an expert in this domain. Once appointed, the consultant must work together with the project manager. The organization should also consider investing in supporting tools and services. Once the resources are in place, the project can start. It’s important to document all activities.
8. When we hit the GDPR deadline, what changes do you envision for the security landscape of the EU at that time and moving forward?
Changes are already taking place; we see that more and more organizations are becoming aware of the importance of privacy and security, and that they can’t put it off anymore. In addition to the rising awareness, the job market is also changing with many new positions in the field of handling privacy and security. We also see that additional services are offered by MSPs and security vendors alike.