Sounds Like HIPAA

In a highly recommended series of blog posts, Nasdaq is taking companies through a step-by-step process to ensure GDPR compliance.  The first step is to raise awareness and provide a complete audit trail of consumer data – from the point of collection through to every point of storage and usage.  For anybody in the healthcare space, this requirement sounds a lot like HIPAA.  To this end, many companies might think that simply filing the correct paperwork will be sufficient.

That thinking is wrong.

GDPR Has Teeth

Unlike any prior regulations, the GDPR is an actionable enforcement effort and this translates into the need for fully functional systems.  A GDPR assessment is not some glorified contract review process.  Instead, these assessments look at the systems in place and how those systems are being protected.  Think of engineers visiting your facilities instead of lawyers.

For anybody using a connected device – from a medical device to a PoS unit to a smart car or appliance – this new approach has major ramifications.  Given that over 70% of all devices have no protection, the sudden exposure to significant fines (up to 4% of revenues) should be scaring most companies.  It is not sufficient to protect the data after the information has reached some secure location – the information has to be actively protected from the first moment of collection.

Validated Efforts Help

While the impending GDPR laws appear to be daunting, the EU has recognized a required period of adjustment.  During this time, companies making valid efforts to lock down their systems will be provided time to build out their security measures.  Currently, the safe period is roughly thought to go through May of 2019 but the EU has set no firm date.

What is clear is that many of these efforts will necessarily revolve around the use of secure devices.  Such devices will need to maintain a potentially evolving set of privacy rules that can be proven and audited at any time.  The only type of security system that can handle these requirements are policy-based solutions.  In traditional enterprises, Active Directory was such a system that focused on humans – now companies need something similar but focused on connected devices.

And these companies need these policy-driven security devices now.