Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
The GDPR 90-Day Countdown is on! (No Need to Freak Out)
May 25, 2018 is a day that many organizations have (or should have) marked on their calendars as a game-changing moment for their business. That’s the “go-live” date for the European Union’s General Data Protection Regulation (GDPR). As I previously wrote, this truly is a groundbreaking piece of legislation that should be taken very seriously. And if you read the countless GDPR-related research reports and surveys, it’s clear that few (if any) US companies impacted by the regulation will be fully compliant in the next 90 days.
Yet, I’m here to tell you there is no need to panic.
But if virtually no organization is fully GDPR compliant by May 25, how does one properly assess GDPR risk? This is where it is critical to understand the cultural differences between US and EU regulators. US regulators tend toward absolutism—you are either fully in compliance or you are not. EU regulators are more nuanced and focused on “intent to comply” rather than literal box-checking compliance. Because of this, May 25 should not be interpreted as a date for full GDPR compliance. Rather, it is a date where companies must be able to prove their intent to comply. To do this, following are three objectives organizations should achieve by May 25.
Goal 1: Know where your GDPR-relevant data is located. Companies need to understand where this data is located, and who has access to it. Once you know this, you can start taking the appropriate steps for protecting that data. You can walk into your legal department and say, “I’m collecting this kind of data from EU citizens,” and ensure they have the right contracts in place to authorize that kind of data collection. Then you can make sure you have the right process controls in place to protect the data. Knowing where your data is located, making sure your data collection practices are legal, and having the controls in place to protect that data are all key milestones to have in place by the May 25 deadline.
Goal 2: Develop a compliance plan. This is where we get into the difference between US and EU regulators. As I said earlier, US regulators lean toward the “absolutist” side of the house, while EU regulators view GDPR compliance as a process. As such, having a compliance plan in place by May 25 will dramatically reduce the risk of penalties. You won’t be in full compliance with GDPR, but being able to hand an EU regulator a compliance plan and say, “Here is how we plan to get to GDPR compliance,” will do a world of good. So, when you think about it, if you achieve goals 1 and 2, you can say to a regulator, “I know where my data is located, I know who has access to it, I understand my controls, I’ve confirmed my collection processes are legal, and I can report on all of this.” For the initial stage of GDPR, having a plan should keep your company out of immediate trouble.
Goal 3: Prioritize GDPR with the rest of your security program. This does not fall under the literal “GDPR compliance” category, but it is important not to repeat the mistakes of the past. With other major regulations like HIPAA, Sarbanes-Oxley and PCI, too often companies would drop everything and just focus on achieving compliance. In doing this, they neglected other parts of their security programs, causing the self-defeating situation where achieving compliance actually made them less secure. This is why we saw an explosion of medical data breaches even when most healthcare organizations were in compliance with the HITECH Act. As companies draw closer to the GDPR deadline, it is critical to build a strategic plan that prioritizes GDPR activities against everything else that needs to be done in the security program. This way you can meet your core security requirements while moving toward GDPR compliance.
Let me be clear. The EU is going to be penalizing companies. I fully expect regulators to make examples out of organizations that are woefully out of compliance, and the penalties are going to hurt. But if companies can achieve the above-listed goals, they will not be deemed “woefully out of compliance” and can progress down the road to GDPR in a safe and sane way—making that May 25 deadline much less daunting.
January 31, 2017
Learn how to mature and optimize your GRC program and technology investments.
Let us know what you need, and we will have an Optiv professional contact you shortly.