EU GDPR Final Countdown: How to Prepare Your Security Program Before It’s Too Late

Exactly one year from today, the European Union’s GDPR compliance deadline will hit organizations with strict data breach disclosure rules. Under the new regulation, companies must notify authorities within 72 hours of becoming aware of a breach. This is not just a European issue—any multinational firm offering products or services to EU residents must comply. For chief information security officers (CISOs) worldwide, understanding and communicating the impact of GDPR on both security and business operations is now critical.

Unlike earlier privacy laws, the EU GDPR carries severe penalties: fines up to €20 million or 4% of global annual revenue, whichever is higher. While that may sound extreme, attackers are growing more sophisticated, and networks more complex. The regulation is a powerful motivator for companies to rethink their cybersecurity approach entirely.

Why GDPR Compliance Demands a New Security Mindset

Complying with GDPR can feel overwhelming, but implementing the right security controls and processes will ultimately protect both the organization and its customers’ data. Knowing your network and understanding its exposure are the keys to reducing cyber-risk. These are the critical first steps in improving overall security posture.

Businesses have just twelve months to ensure their cybersecurity programs are ready. Here are four essential steps for IT security professionals and CISOs to focus on as they strengthen their programs and prepare for the incoming legislation.

1. Implement an Information Security Framework

The GDPR emphasizes the importance of implementing “technical and organizational measures.” CISOs are increasingly turning to information security frameworks to guide their efforts in protecting critical systems and data. This is a great starting point for developing appropriate measures.

While the EU does not prescribe a specific framework, adherence to the NIST Cybersecurity Framework (2014) or ISO/IEC 27001/27002 will make demonstrating compliance far more likely in the event of a breach. Leveraging an industry framework helps organizations identify, implement, and enhance their cybersecurity practices. It also provides a common language to communicate issues to stakeholders. Companies not currently using a framework should strongly consider adopting one.

2. Identify Personal Data, Including ‘Special’ Data

Under the EU GDPR, the definition of “personal data” has expanded to include a person’s “identity” in other contexts. This is crucial because personal data under the new regulation may not appear in an obvious form. It can include IP addresses, application user IDs, GPS data, cookies, and MAC addresses. Organizations must be on the lookout for these new types of personal or specialized data.

One effective approach is data discovery, which uses both active scanning and passive network monitoring to locate unencrypted sensitive data. From there, teams can decide whether to remove the data or apply controls. For more guidance, check out our data protection strategies guide.

3. Include Unknown or Unauthorized Assets

IT environments today are busy and dynamic. Traditional assets, containers, mobile devices, and IoT devices all make the corporate network harder to secure. This added complexity not only introduces new security risks but can also undermine the organization’s compliance posture.

With new devices and applications constantly connecting to networks, it’s essential that organizations have complete visibility across their entire IT infrastructures. This is the only way to fully understand where they’re exposed, what the risks are, and how to reduce them. Without this visibility, GDPR compliance becomes nearly impossible.

4. Validate Security with Certifications

EU certification bodies have begun work on an EU-wide seal that incorporates the requirements of the regulation. While there isn’t a published timeline for the certification process, it may resemble current processes. Companies should be able to leverage existing certifications, such as ISO/IEC 27001 or SOC2. If considering investing in this type of certification, GDPR is a good incentive to move forward.

Technology innovation and business operations have evolved dramatically over the last twenty years, but the industry’s security and privacy standards have not. GDPR was designed to address this gap, forcing organizations to not only rethink but readjust their approach to security.

It’s time for organizations to make security a board-level issue. Failing to make educated investments in security—or continuing to ignore its impact on the bottom line—will gravely affect the organization’s overall security and compliance posture. Start preparing your security program preparation today to avoid costly penalties tomorrow. For additional resources, visit our cybersecurity compliance checklist.