Three Things to Know About GDPR Today (Part 1)

Prior to working at Expanse, I worked in different consulting and advisory roles at PwC and Protiviti, largely focused on risk and compliance. My first encounter with the General Data Protection Regulation (GDPR) was working at PwC in London, and some of the largest projects I’ve worked on in my career were centered on achieving GDPR compliance. The stakes were high. If we didn’t meet the deadline for compliance, we were looking at a fine potentially up to 4% of our client’s global revenue. No one really knew how the vague language would be interpreted or how the law would be enforced, but for them, that was a lot of money.

The road to compliance was different for everyone, and it wasn’t easy. Almost two years since GDPR went live, I believe maintaining compliance will still be a challenge for many organizations. This series of articles will explore the concepts and principles that organizations concerned with GDPR compliance should keep in mind.

Principle #1: They weren’t kidding about the fines

Fines for non-compliance with GDPR are determined by a variety of factors, and a data breach alone does not mean you will suffer the maximum penalty under GDPR. This is important to remember because for almost every company out there, it’s no longer about preparing for if a breach happens, but for when a breach happens. This means it is up to companies to determine the best way to mitigate the impact of a breach as well as the largest contributing factors to the price tag of the fine.

Vulnerability management by using vulnerability scanners is just simply not enough. Detecting violations of information security policy and procedures weeks or even months after they occur isn’t enough either. You can write the most sophisticated information security policies, procedures, and programs, but it is all for naught if you are unable to identify when there are violations or improper implementations. It’s important to frequently assess your confidence that you are meeting security expectations laid out in GDPR.

How confident are you that your vulnerability scanners are scanning 100% of your assets and giving you a complete and accurate view of all vulnerabilities? How confident are you that you have the tools to monitor for and identify violations in information security policy? I can tell you from experience, that if you are 100% confident, the chances of you being right are quite small.

The answers to these questions can be instrumental to securing your assets, but whether or not you can answer them says a lot about your position in terms of GDPR compliance and the risks you are taking should you experience a data breach.

Check back next week for the next post in this series and additional considerations to keep in mind for GDPR compliance.

Kelsey Henry is a Technical Account Manager at Expanse. This is the first post in a three-part series on GDPR compliance.