Guest blog by Peter Klint, Senior Director Northern Europe Network and Security, VMware
It’s getting closer. You’ve probably heard a great deal about a new regulation called the GDPR (General Data Protection Regulation), agreed by the European Parliament and European Commission late last year. This GDPR will override all local laws and regulations on data protection in 28 European Union (EU) member countries, helping enterprises and public organisations (inside and outside Europe) to strengthen and enforce the security of personal data.
Although the GDPR is set to be formally introduced in less than two years’ time (May 2018) businesses need to start reviewing their processes and security strategies now in preparation. But what needs to be done, and how can you do it? We can help you through our virtualized networking platform NSX. While there is a lot to consider before the regulation’s official roll out, there are some crucial points to understand and action immediately:
1. What do you need to know?
The new regulation is being introduced to protect the processing, use and exchange of all personal data collected for (or about) citizens and residents of the EU. It brings consistency to the current data protection laws across EU member states, provides guidance on how customer data should be stored and how companies must respond in the event of a data breach. This all means significant changes to your operations in order to maintain compliance.
Critically, tough financial penalties will also be imposed on businesses for not protecting data, including fines of up to four percent of global revenue for the previous year, or €20 million (£15.8m) – whichever is greater.
2. What do you need to do?
The changes you will need to make to your operations to comply with the regulation are wide-ranging, but feature four key actions.
- Firstly, you may need to appoint a Data Protection Officer (DPO) if your organisation is classed as a multi-national and large company, (processing more than 5,000 personal data per year). The DPO’s role is similar to a Compliance Officer, and is expected to manage IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues relating to the holding and processing of personal and sensitive data.
- You may also be required to file a Data Protection Impact Assessment (DPIA) to ensure overall compliance with the GDPR. This will involve identifying how data handling procedures and processes (including how personal data is used) could impact the safety of information associated with data subjects. The DPO is legally obliged to provide the DPIA to the supervisory authority when requested for a Data Protection Audit. This will be at least once a year.
- You will also be required to report data breaches without undue delay. The DPO will be legally obliged to notify the Supervisory Authority and individual data subjects of all data breaches within 72 hours. For data security professionals, the pressure is now even greater to prevent data loss incidents from happening and to ensure the business does not make the headlines for a data breach.
- Finally, now is the time to examine data protection by design as well as by default. This means you will need to build data protection safety measures into your products and services from the earliest stage of development, and privacy-friendly default settings will become the norm. It is likely that the GDPR will incentivise businesses to innovate and develop new ideas, methods, and technologies for security and the protection of personal data.
3. VMware NSX can help
With all of these changes in the pipeline, I advise you to look closely at how you store, handle and exchange data in the face of an evolving threat landscape. VMware NSX allows you to deploy security controls inside the data center network for a fraction of the cost of a hardware equivalent through the micro-segmentation model. Simple to implement and compliant with the new GDPR, you will be well prepared for the forthcoming changes with full peace of mind.
VMware NSX offers a zero-trust security model inside the data center and data-centric adaptive security. It allows businesses to protect sensitive data processed by their applications and control the security risk level of each workload in real-time. It also automates the repair of any compromised Virtual Machine (VM).
The solution offers three modes of security for data center networks:
- Fully isolated virtual networks
- Segmented virtual networks (via high-performance, fully automated firewalling native to the NSX platform)
- Segmentation with advanced security services with our security partners
This can help you to monitor your system for attacks in real-time, safely contain any threats and provide the latest advice on safeguarding your data.
By following these best practice guidelines for data center security, the GDPR does not need to become a significant obstacle to your business operations and can even help your business to become more competitive. To find out more, visit our GDPR microsite.