For the first time in 20 years, when the EU’s General Data Protection Regulation comes into force in 2016, we will have data protection laws that are in line with the way businesses handle data. The existing data protection laws were drafted at a time when data was housed in on-site servers and rarely left the perimeter. Nowadays, security means protecting data, often in the cloud in the form of documents, forms and databases distributed across servers internationally.
The GDPR will replace the patchwork of data protection regulatory authorities in the 28 member states with a regime that will apply across the Union. It will affect any business that operates from within the EU, does business with organisations within the EU, or stores its data in EU member countries. This is a far-reaching piece of legislation that will affect the likes of Google, Facebook, Twitter, Apple etc just as it will affect small to medium sized businesses who have EU clients. And what’s more, by the end of 2017, if the EU sticks to its intended timetable, businesses will need to be compliant.
What will this mean for business?
Precisely because the rules are wide-ranging, there is no handy universal framework to follow that guarantees passing the test.
Businesses are gearing up to the change in regulation, but slowly. According to a recent survey by Ipswitch, one fifth of UK businesses still have no idea whether the changes will apply to them, despite confirming they do store and process personal data. One thing is clear and that is that more than three quarters say that keeping up to date with changing data protection regulation is a financial burden to their business. The impending regulation will require more than investment in a particular technology. Here is my assessment of the six potential pitfalls for businesses.
Get the risk evaluation right
Mandated by the leadership team, organisations should undergo a risk management exercise that identifies the key processes and assets, evaluates their vulnerabilities and potential threats, and then sets the priorities for the next stage of the process towards compliance with the GDPR. It should cover all areas of the business and should also consider technologies and strategies to mitigate the risks identified. For instance, one key technology for mitigating risk and ensuring compliance is managed file transfer, which will manage the entire process both within and outside the business.
Any business that handles data will have to seek clear consent from customers, staff and suppliers for their data to be handled in this way.
That applies both to data gathered after the implementation of the regulation and – crucially – data that’s already held. Firms will need to prepare all existing data to be audited to make sure it complies with the new standard and that the proper consent can be proven to the Information Commissioners Office if needed. Understanding the extent of this huge auditing and compliance exercise will be key to allocating the time and resource to getting it right.
The current draft of the regulation requires any organisation suffering a breach to notify the Data Protection Agency and anyone affected within 72 hours. Let’s consider how this might play out in real terms. Take a recent high-profile breach as an example: Ashley Madison, the adultery website. It’s a US business but has many users who are EU citizens. Under the GDPR, it would have had to notify the DPA and the users as soon as the breach was detected. What actually happened was that the site was breached in July and in August the hackers published details of some 30 million users.
Ask yourself: what changes would your company need to make to be able to go public three days after a breach? The technologies would need to be in place, but also the crisis management processes that would likely involve team members from IT, legal, HR, marketing / PR and the C-suite.
Initially the proposal for data breach penalties was up to 5 per cent of global turnover, or up to €100m. This has reduced to €1m or 2 per cent of global turnover, depending on the seriousness of the breach. That’s cold comfort to an organisation like the British Pregnancy Advisory Service, fined £200,000 in 2014 under current UK regulation after thousands of people’s details were stolen by a hacker. Many organisations will be hard pressed to pay such fines. What’s more, the hack highlighted that the BPAS was not aware of what information it was holding, nor that it was sufficiently secure. Businesses affected by the GDPR will need to assess carefully their potential liability, which involves knowing exactly what information they have. For many, this will be a complex audit exercise.
Right to be forgotten
Businesses handling the data of EU citizens will have to erase data “without undue delay” if the individual asks them to do so, if the data was unlawfully processed or if they’re required to do so by law. With so much data held in the cloud and moving through enterprise, partner and customer networks, it is much harder for organisations to implement systems that will enable them to identify and erase personally identifiable information on request. Businesses will have to implement processes for responding to “right to be forgotten” requests in a timely fashion.
If all this sounds worrying, then you are likely to make up the 95% of IT professionals in the UK who do not yet feel ready for the GDPR. The good news is that your organisation can still get ready in time if the planning starts now. The final version of the GDPR is set for approval by the end of this year, and then businesses will probably have two years to become compliant. Technology can offer up many useful solutions, encryption, managed file transfer, analytics perimeter security and so on. IT professionals are realistic about the investments in technology and services that lie ahead (69% say they will need to invest).
However technology is only half the story. The GDPR will touch all areas of an organisation so staff will need to be educated. Training will be essential to ensure staff understand what’s expected of them, how to respond and how to handle data.
By Alessandro Porro, Senior Vice President of International, Ipswitch