HIPAA Security: Assess additional security needs

Q. How should a small to mid-sized business prepare for the general data protection regulation?
 - 
Friday, December 29, 2017

A. The GDPR, effective May 25, 2018, requires a number of new data protection obligations for everyone who does business in and with the European Union. EU data protection law will extend to all foreign companies processing the data of EU residents.

One of the key requirements is that SMBs must have a technical solution in place and organizational measures that demonstrate compliance.

Another important change is the replacement of the Safe Harbor by Privacy Shield which requires companies to self-certify to join the new framework.

SMBs need a solid foundation on which to build their compliance program. Make sure you understand the measures you already have in place so that you invest where it’s needed.

Organizations are increasingly storing and sharing data via cloud-based services that provide good encryption and key management. However, to protect the personal and sensitive data defined by the GDPR, you will need additional data security measures.

GDPR will require data to be protected wherever it may be stored, accessed or processed. GDPR will also require protection for a wider data set to include hidden data such as digital identifiers, IP addresses and cookie IDs as well as a person’s name, address and Social Security number.

Encryption will need to cover the data on computers, background copies that are downloaded by apps, copies shared between staff and third-party subcontractors on removable media, hidden data such as author details embedded in documents, IP addresses embedded in emails, and login credentials stored by browsers.

Heavy fines, up to 4% of the total worldwide annual turnover, will be issued for noncompliance. SMBs will need to determine whether it is cheaper to comply or just not do business with the EU.

Ebba Blitz is CEO of AlertSec.