GDPR and Mainframe: What You Need to Know

Is your enterprise ready for the upcoming European General Data Protection Regulation (GDPR)? If you’re not sure, you’re not alone.

A recent survey of mainframe users found that only 25 percent of IBM mainframe customers are confident that their security system is GDPR compliant. The survey, conducted at the annual GSE UK Conference for IBM mainframe users, also revealed that 31 percent of mainframe customers think they aren’t compliant, while 40 percent don’t know their status. And perhaps most concerning, 4 percent aren’t sure what the GDPR is.

The EU’s GDPR, which goes into effect May 25, 2018, will give consumers more say over what companies can do with their data. Even if your business isn’t based in the EU, don’t think you’re off the hook. Any organization that handles data belonging to EU residents will be subject to the new rules.

The GDPR will also have the benefit of standardizing data protection rules throughout the EU, creating a clearer, simpler legal environment for businesses. The EU estimates that this will save businesses a collective €2.3 billion per year.

That is, if businesses are prepared enough to avoid the looming costs of GDPR compliance. These include implementation costs, but as an incentive to speed compliance, the GDPR will introduce tough fines for non-compliance and data breaches. The most serious violations could result in fines of up to €20 million or 4 percent of annual revenue (whichever is higher). According to one study, fines from the Information Commissioner’s Office (ICO) against UK companies last year would have been £69m, rather than £880,500 under the new GDPR rules.

How Can Mainframers Prepare?

What steps should mainframers be taking between now and May 25? Most importantly, make efforts to be compliant. There are a lot of specific rules you’ll need to follow, so this will take a coordinated, concerted effort throughout your organization. The key takeaway is that you’ll need to take steps to bolster mainframe security.

In the previously mentioned survey, 86 percent of respondents agreed that “tougher regulations such as GDPR are among the main reasons for making access to mainframes more secure.” Mainframers are also rightly worried about the increasing sophistication of hackers. The fact that today’s mainframe is typically connected to the Internet, and therefore more vulnerable, is another area of concern.

Mainframe security is often handled by software products like RACF. However, mainframe security can be improved by adopting additional methods that vendors like IBM are currently championing.

Mainframe security experts overwhelmingly agree that data encryption is an essential way of securing the mainframe, especially in the context of regulations like GDPR. GDPR will require businesses to report data breaches within 72 hours and face heavy fines unless the organization can prove that data was encrypted and the keys were protected.

To that end, IBM released IBM Z®, which is capable of handling 12 billion encrypted transactions a day.

Authenticating users via multi-factor authentication is another important security measure. MFA provides a more secure alternative to traditional password-only access. Each additional factor increases the assurance that someone involved in a communication or requesting access is who, or what, they say they are.

Data minimization is another strategy that may prove useful under the new rules. Mainframers can limit exposure by restricting the personal data that’s collected and stored to the absolute minimum necessary.

What are you doing to ensure that your enterprise is GDPR-ready?

For more on mainframe security and other mainframe topics, check out the SHARE Content Center.

Recent Stories
Tips for Giving Impactful, Engaging Technical Presentations

SHARE St. Louis: Previewing Open Source Tools with Jerry Edgington

SHARE St. Louis: Previewing Exploits and Vulnerabilities with Ray Overby