In the last week both British Airways (BA) and Marriott Hotels have hit the headlines because of eyewatering GDPR fines – $229 million for BA and $123 million for Marriott.
The fines show that the GDPR (General Data Protection Regulation), has given enforcers like the UK’s ICO (Information Commissioner’s Office), some serious teeth. BA’s fine is almost 400 times larger than the ICO’s previous record fine – a $645,000 penalty handed to Facebook for the Cambridge Analytica scandal.
With these new fines in mind, it’s a good time to make sure you’ve minimized your risk of being next in line.
GDPR is focused on protecting European Union citizens and it applies to anyone who holds personal data on an EU citizen, wherever in the world you are based. Marriott, a U.S. organization, is a case in point.
Here are five best practices we recommend all organizations follow to minimize the risk of a GDPR data loss fine:
- Patch early, patch often. Minimize the risk of a cyberattack by fixing vulnerabilities that can be used to gain entry to your systems illegally. There is no perimeter, so everything matters: patch everything.
- Secure personal data in the cloud. Treat the cloud like any other computer – close unwanted ports and services, encrypt data and ensure you have proper access controls in place. And do it on all your environments, including QA and development.
- Minimize access to personal data. Reduce your exposure by collecting and retaining only the information you need, and making sure the only people with access to it are the people who need it to do their jobs.
- Educate your team. Ensure that everyone who might come in to contact with personal data knows how they need to handle it – this is a GDPR requirement.
- Document and prove data protection activities. Be able to show that you have thought about data protection, and have taken sensible precautions to secure personally identifiable information.
Sophos can help
First up, to minimize the risk of attackers getting to your data, we offer a complete portfolio of cybersecurity solutions, including Intercept X endpoint protection and XG Firewall. Check them out with our free online demos today.
If you’re using Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platforms (GCP), take a look at our guide to Securing the Public Cloud: Seven Best Practices. It explains what you are (and are not) responsible for, and how to protect data and workloads in the public cloud.
When a laptop goes missing, you need to be able to show it was encrypted. Sophos Central Disk Encryption is the easiest way to centrally manage BitLocker and FileVault encryption, and to prove that you have it deployed.
Think about how much personal data you have on your work mobile phone – it’s just as much a security risk as your laptop. Sophos Mobile enables you to remotely lock and wipe a lost mobile device – and also demonstrate that it is encrypted.
Sophos Disk Encryption and Sophos Mobile are available through Sophos Central. If you’re already using Central you can start a free trial in a couple of clicks from within your console. If you’re not, download a free trial today.