The UK’s Information Commissioner’s Office (ICO) has warned that organizations could be punished for existing vulnerabilities when the EU General Data Protection Regulation (GDPR) is enforced. The same penalties will apply to US organizations that process EU residents’ personal data.
The GDPR comes into effect on May 25, 2018, and organizations that fail to identify and patch vulnerabilities before this date face strict disciplinary measures. The ICO has said that fines will be a last resort, and that the Regulation’s maximum penalty of €20 million (about $23.8 million) or 4% of annual global turnover – whichever is greater – will be reserved for only the most egregious violations, but any disciplinary action could be costly.
Any non-compliant organization faces enforcement action, including an investigation into their practices and a mandate to address any processes that fall short of the GDPR’s requirements.
Preparing for the GDPR
New laws aren’t usually retroactive, but the ICO’s statement acknowledges the importance of patch management. There are a handful of ways that organizations can manage patches, but the process should always involve regular penetration testing.
Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organization, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Testing offers an affordable, repeatable method for identifying vulnerabilities in your infrastructure and web applications. It also demonstrates that your organization takes security seriously, which will strengthen your stakeholders’ trust and mitigate any regulatory action from supervisory authorities in the event of a breach.
Training can help your organization along with GDPR compliance
There are other things that are important to GDPR compliance, and one of these is training. The current cyber threat landscape requires businesses to achieve GDPR compliance when applicable. Business leaders need to be aware of the risks associated with cyber attacks and the importance of being able to respond to and recover from them.
The EU GDPR Practitioner Training Course will teach attendees how to meet the requirements of the GDPR. Discover the tools and methods for implementing and managing an effective compliance framework, and how to fulfill the data protection officer role.