Security Roundup: GDPR, Holiday Cybercrime, Exabeam, Oculeus
It’s now been more than six months since the deadline for compliance with the EU’s General Data Protection Regulation (GDPR), and many U.S. firms that process personal data on EU citizens or residents still are struggling with it.
A recent survey by the International Association of Privacy Professionals showed more than half of respondents still haven’t complied with GDPR, and one-fifth said that full compliance may be impossible. Also, the average organization spent $3 million on compliance efforts.
We spoke with Daryl Crockett, president and CEO of ValidDatum, to find out what’s keeping some companies from reaching GDPR compliance. ValidDatum helps clients with data-related project management and services, including data privacy, data security and GDPR compliance.
Many companies remain in denial that the regulations apply to them, she said. But now that the first fines and regulatory actions have started coming out of the EU, the enforcement actions and fines are “really going to increase within North America,” she said.
“What’s happening is they’ve just started to go after the European organizations or companies that these North American businesses are working with, and as these European citizens start to understand they they can flex their data subject muscles, then they’ll be able to exercise their rights against North American companies and this will lead to a lot more class-action suits,” Crockett said. “So what we see are these data subjects starting to ban together … against the corporate world.”
The biggest problem these companies are starting to run into is the amount of time that it takes to respond to a data subject’s access request, she said. A subject access request requires any company to turn over data it has collected on an individual.
Companies are given 30 days to respond to a data subject’s request, “and that’s a pretty short period of time, especially if you haven’t fully mapped out where all your data is and can put your hands on all the data that might be related to a particular data subject,” Crockett said.
“And the number of requests have started to increase, particularly in Europe, and a lot of the American companies obviously have European operations going on,” she said. “So they’re starting to realize the crush of responding to these data requests is just as bad as what they went through for the initial preparation. And companies are still trying to work through what data do they have, where this data is, who this data is about, why they’re keeping their data and who has access to this data.”
Digital companies likely will have an easier time with these requests, as all of a subject’s information is going to be stored in one place, Crockett said.
“But imagine if you’re a bank and you’ve done two or three transactions for a particular data subject over time, maybe over 10, 15, 20 years; you’re holding a combination of electronic records, emails, paper records and phone slips in a box somewhere,” she said. “If these data subjects know that they’ve done three real-estate transactions with you, and know what they should be expecting … and if you don’t provide that because you don’t have any good way of finding out where this data is within that short period of time, then you’ve got …