Data-centric security for the Enterprise

The General Data Protection Regulation (GDPR) is the most sweeping set of privacy regulations enacted by any governing body to date, in this case, the European Commission. The GDPR centers on the personal data of Data Subjects in the EU (and in the UK, which is honoring the GDPR even in the wake of Brexit) residing in the systems of any organization on the planet. Enacted by the EC in 2016 with a two-year assimilation and preparation period, and now in effect as of 25 May 2018, the GDPR is a reaction (some might argue, an overreaction) by the public sector to the general failure by the private sector to sufficiently address how organizations make use of the data they collect on private individuals.

Much has been written about the GDPR, and this white paper (see below) offers an enhanced perspective on the subject, but in short, every organization on the planet needs to care about the GDPR, because failure to comply with its provisions ignores risk, disrespects the privacy and privacy concerns of consumers, and can hit an organization hard financially. The EC will assess penalties for non-compliance of either €10 million (in excess of USD 11 million at time of publication) or 2% of “worldwide annual turnover” (an organization’s annual revenue) for what one might term standard violations and, for the most serious violations, penalties of either €20 million (more than USD 23 million) or 4% of worldwide annual turnover/revenue.

The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures designed to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information. Jointly created in 2004 by credit card issuers Visa, MasterCard, Discover, and American Express, the PCI establishes fines of up to $500,000 per incident for security breaches when merchants are not PCI-compliant.

The good news is that by adopting a truly effective enterprise-wide data security strategy, organizations can avoid financially crippling, reputation-shredding battles and their increasingly global customer bases over privacy – while establishing a rock-solid foundation for cybersecurity best practices that supports the organization’s business objectives in all areas.

This white paper explores these issues and discusses the foundation for such a strategy. It looks at practical ways of tackling the issues and provides a use case for ‘data-centric security in action’.