With the changes in EU regulation that GDPR introduces, specifically relating to how the personal data of EU citizens must be handled, organisations are facing fresh challenges in how they prove compliance. GDPR brings particular burdens with the ‘Privacy by Design’ mandate that requires data privacy is part of the system design process from day one.
Failing to comply with GDPR could result in fines equal to 4% of Global revenue or ₠20m, whichever is greater.
High velocity innovation is accepted as a necessity to remaining competitive in our increasingly digital industries, but with regulatory responsibilities, such as GDPR, we need to guarantee we’re not exposing our businesses to reputational, legal, or financial risk.
Many organisations tell me that they’re compromising their ability to move fast with their security responsibilities. Based on a Gartner report, 81% of IT operations professionals say they believe information security policies slow them down.
We’re doing the DevOps; it makes our software deployment faster, we’re much better at shipping the things our customers want. The problem with moving quickly is that we’re potentially shipping insecure system changes or code vulnerabilities more rapidly too.
I see a lot of organisations running scans on production systems only – it’s already too late at this point. Others have quarterly audit cycles – what happens in between audits? Does configuration drift, are there unknown risks? How about the cost of meeting the audit requirements?
According to a recent Chef survey of IT practitioners and decision-makers, 22% of respondents test compliance inconsistently and 23% don’t test at all. When GDPR becomes enforceable in May of 2018, this lack of visibility may become very costly. Many organisations are faced with an unpleasant choice: slow down and become less responsive to customers, or risk steep GDPR penalties.
Continuous automation is the foundation of a high velocity, software-focused organisation. When we treat compliance this way, we get out of reactive mode and make our applications continuously compliant by applying the DevOps principle – everything as code – to the GDPR controls supporting the privacy by design mandate. We do this at the start of the project, not as an afterthought.
By doing this we can put our code based compliance controls through the normal development workflow: we can test them, version them, apply them at scale and easily modify them. Most importantly it makes the controls incredibly easy to collaborate on by treating them as any other code asset in your software development process. Running compliance scans becomes as common as running unit tests.
Compliance becomes part of our development stage, our testing environments, and our production systems. We can execute scans every time we make a change, on a regular schedule or as a triggered event. Anyone in our IT org, or business as a whole, can access real time compliance data on demand and use this information to correct any issues that need to be remediated.
The average idle time before identifying a system breach is thought to be 200 days. In a GDPR audit this could cost your business 4% of its global turnover. Imagine if you could identify this on an engineering team’s development workstation before it gets anywhere near a production like system. How would this ability change your business?
Continuous automation provides an inherent solution for complying with the GDPR privacy by design mandate. At Chef, we help customers on a journey to continuous automation that starts by detecting issues that could impact GDPR compliance, moves on to correcting those issues and proving compliance, then puts in place automation to make applications continuously compliant. Our continuous automation platform, Chef Automate, is designed to help organisations achieve success on that journey while reducing risk, improving efficiency, and increasing speed at each step.
It’s important that, as GDPR looms on the horizon, we make the necessary changes to ensure we’re meeting the standard, but this is not easy. I see the introduction of GDPR as an opportunity to rethink how we handle our overall compliance responsibilities in our businesses, and how evolving our InfoSec operations can be part of a larger digital transformation. As a first step, get visibility across your fleet to detect existing compliance risks and prioritize subsequent actions.