According to research conducted by Palo Alto Networks and IDC, most organisations think that they are already compliant with NIS directives, with just eight per cent believing that they won’t be ready in time. However, as it is still possible that the directive may change as it is adopted by member states legal frameworks, nobody can be sure that they would be compliant at this time. Nonetheless, 92% of respondents think that they are already ready for NIS, or expect to be ready on time as they are preparing now with a slightly lower 86% for GDPR regulations.
These numbers sound extremely positive until you dig a little deeper. Of these companies, 38% reported that they thought they were working to meet a 2017 deadline. 14% to 2016 and more worryingly, 6% thought it was 2019 or weren’t sure when it was. These responses contrast with our understanding of the readiness of the organisations surveyed. They highlight the gap between the perception and reality of preparation.
You may need help
Companies may find that they have to invest in skills and resource to help them implement the new legislation. Organisations of a certain size will have to appoint a data protection officer to inform and advise the business, monitor compliance, assess performance, conduct data protection impact assessments and evaluate risks. You might need someone to design the process you intend to design to meet the ‘right to be forgotten’ element.
You may require experts who can help you with data flow mapping and gap analysis. And to implement technical or organisational measures for ISO 27001. Citizens will have many more rights when it comes to the data you hold on them:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object and
- rights related to automated decision making and profiling.
All of these are actionable tasks that will require more resource than you currently have.
You need to know what your company’s position on ‘state-of-the-art’ is and invest in security technologies that carefully consider identity, privacy, data protection, mobility and cyber threats in your security management platform. To be compliant, you are required to have “state of the art” security solutions and technology partners that allow your organisation to predict and prevent attacks, detect a potentially dangerous presence in your networks and respond quickly to that threat. And finally, have the ability to analyse and report on the health of your networks in real time.
The European legislation is larger than you might envisage at this stage. It comes into effect in Spring 2018 and so these types of considerations will need to be made before then.