October 24, 2017
Complying With New EU Data Rule
by Tom Reagan
The General Data Protection Regulation has prompted companies to evaluate and improve on how they manage their overall cyber risk.
The EU General Data Protection Regulation is set to bring far-reaching changes to Europe’s data protection and privacy rules. The GDPR, which will take effect in May 2018, establishes requirements governing how organizations around the world manage and protect personal data while doing business in the EU. The regulations are strict, and the potential penalties are high — fines up to 20 million euros ($23.5 million) or 4% of global turnover, whichever is greater.
But new rules can also inspire positive change. Such is the case with the GDPR, which has prompted many companies to evaluate and improve on how they manage their overall cyber risk. With the GDPR deadline fast-approaching, some companies appear to be further ahead than others in compliance planning, according to a global survey regarding corporate cyber-risk perception conducted by Marsh.
Marsh’s independent analysis of the survey’s findings highlight three key points:
1. Cyber risk is a top priority at organizations that report they are also preparing for GDPR.
The regulation comes at a time when cyber risk is — or should be — on every company’s radar, a fact underscored by survey respondents. In an age of technology-driven disruption, the threat of evolving cyber risks is real. The WannaCry and Petya ransomware attacks in 2017 had an impact on the share prices of several global companies and did significant damage to a number of smaller firms. They served as one in a string of reminders that any company that is connected to the internet, that uses technology or that stores customer or employee data is at risk — a list that excludes almost no one.
2. GDPR compliance efforts are encouraging broader cyber-risk management practices.
Organizations preparing for the GDPR are doing more to address cyber risk overall than those that have yet to start planning, according to survey respondents. And this is happening despite the fact that the GDPR does not showcase a “prescriptive” set of regulations with a defined checklist of compliance activities. Instead, GDPR preparedness appears to be both a cause and consequence of overall cyber-risk management.
See also: Cyber Crimes Outpace Innovation
Survey respondents who said their organizations were actively working toward GDPR compliance — or felt that they were already compliant — were three times more likely to adopt overall cybersecurity measures and four times more likely to adopt cyber resiliency measures than those who had not started planning for GDPR.
Practices such as cyber-incident planning and cyber insurance are not explicitly required by the GDPR, but those respondents who said their organizations had high levels of GDPR readiness had also adopted these measures. This works both ways — organizations that have adopted a cybersecurity measure such as encryption also have a jumpstart on GDPR compliance because encryption is strongly encouraged. And, while cyber-incident planning and cyber insurance are not explicitly required, they still enable firms to quickly marshal the resources to meet the GDPR’s 72-hour data breach notification requirement.
3. Even organizations with a higher degree of GDPR readiness may not be fully prepared for a cyber incident.
Consider third-party vulnerabilities. For years now we have known that weaknesses in suppliers, vendors and other third parties are prime entry points into a system for threat actors. The good news is that most organizations now realize this, as indicated by the 67% of respondents who said they assess the cyber risk of vendors and suppliers.
However, digging into what such assessments entail shows a somewhat alarming lack of detail. For example, only 17% of respondents said they have assessed the financial strength of their suppliers/vendors, something that is at the heart of the ability to pay compensation in the event of a loss.
With GDPR implementation just months away, among organizations subject to the GDPR, 8% said they were fully compliant, 57% were developing a compliance plan and 11% had yet to start. Given the effort needed to comply, this suggests many organizations will face challenges meeting all requirements by the time GDPR takes effect in May 2018.
See also: 4 Steps to Achieving Cyber Resilience
Those who are ahead recognize the GDPR compliance process as a game-changing opportunity. Preparation has effectively focused executive attention on broader data protection and privacy issues, prompting related investments and commitment. In preparing for the new rules, organizations are strengthening their overall cyber-risk management posture and turning what is often viewed as a constraint into a competitive advantage.