The legislation itself
As you’d expect, the EU’s 1995 data protection rules govern how personal data is collected, what it is used for and dictates that organizations have an obligation to protect it from misuse.
The key changes to the reform that will make organizations sit up and take notice are:
- Serious data breaches will have to be notified as soon as possible (if feasible within 24 hours)
- Penalties will be increased. For example, in the UK at present, the ICO can penalize organizations up to £500K. Under the revised legislation this would increase to €1 million or up to 2% of the global annual turnover of a company.
The rulings date back to 1995 when the internet was virtually unheard of by many. While this technological advancement has revolutionized the way many businesses operate – in fact some wouldn’t even exist without it, it has also introduced a number of challenges.
For instance an organization’s perimeter is no longer restricted to physical or even geographical boundaries. While good for trade in allowing practically any business to operate internationally, it can also allow hackers in to, and facilitate the easy transfer of corporate data out of, the safe confines of the network.
Unlike the physically connected desktops of 1995, today data can be transmitted wirelessly between a myriad of devices – Laptops, Smartphones, Tablets, USB sticks and the list goes on. The challenge for organizations is to prevent this multitude of endpoints facilitating data seepage.
Security from the outside
Unfortunately, short of locking data away and never allowing anyone to access it, there is no one thing that can be done to minimize the risk of data breaches. Equally true, doing nothing is unacceptable and leaves the enterprise exposed to risk.
Organizations need to mesh together appropriate procedures and policies to wrap the network in a security blanket that controls how data is accessed and what can be done with it.
The use of domains introduces control for specified groups of users and/or servers through a central security database. Once authenticated to a central server (or domain controller) users’ access to specific services, applications and directories can be restricted according to their job function or security clearance.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.