On May 25, 2018, the EU General Data Protection Regulations (GDPR) go into effect. This broadly-reaching set of regulations related to how personal data is collected, processed, and stored, is causing fundamental shifts in the way organizations approach personal data. And rightly so: the fines for non-compliance are significant, at 4% of annual global turnover or €20 Million (whichever is greater). GDPR cyber security will greatly impact internet of things (IoT) device developers, as these devices typically collect and transmit a great deal of personal data. It will no longer be acceptable to create IoT devices with weak security measures, as the manufacturers themselves may be held liable for data breaches caused by poor design.
The good news for consumers is that organizations must take the cyber security of personal data into account as part of their efforts to comply with GDPR cyber security requirements. Data privacy and data security, long considered separate things, are becoming intertwined thanks to these new regulations. Andrew Burt, Chief Privacy Officer and Legal Engineer of Immuta, states, “2018 will prove that cyber security without privacy is a thing of the past.” (Forbes) Article 32 of GDPR provides specific guidance related to data security and breach notification. Among other things, data controllers and processors are advised to include:
- The pseudonymisation and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Heimes)
It is advisable for organizations to begin now to make data privacy a part of their operational GDPR cyber security strategy. No matter where your organization falls within the process, from creating devices that collect and transmit personal data, to collecting personal data, to processing or storing data locally, on the edge, or in the cloud, the cyber security of personal data is a pressing concern. Hackers regularly target this type of information, and news stories about large data breaches are becoming commonplace. Every organization that falls within range of the EU GDPR requirements must reevaluate their cyber security strategy.
Does your organization need to begin implementing a cyber security strategy? Start with the IEEE online course program Cyber Security for Today’s Environment.
References
Olivi, G. (2017, Nov 24). Cybersecurity and GDPR: Where We are Heading. DLA Piper Privacy Matters.
Press, G. (2017, Nov 26). 60 Cybersecurity Predictions for 2017. Forbes.
Heimes, R. (2016, Jan 6). Top 10 Operational Impacts of the GDPR: Part 1 – Data Security and Breach Notification. IAPP.
[…] 100 Fortune500 companies. Of those, 98% of the Fortune companies think they’re good to go on GDPR compliance, compared with 94% of the FTSE […]
[…] just a couple of months, the General Data Protection Regulation (GDPR) in Europe will require companies to obtain consent before collecting user data from those in […]
[…] the amount of personal information you have saved in your electronic devices, browsing unsecured websites and enabling settings can […]
[…] medical procedure? And if the individual owns the data (according to regulations like HIPAA and the GDPR), how would consent work? Can data be erased or deleted from the device remotely, or will it […]