By Paul Le Messurier, Programme and Operations Manager, Kroll Ontrack
How familiar are you or your IT department with the proposals under the forthcoming General Data Protection Regulation (GDPR)? And how prepared will you be to meet what are likely to be very stringent requirements around data protection?
According to our recent research, undertaken in partnership with data erasure experts Blancco, if you answered ‘Not very, if at all’ you would be in good company. The research found that more than four out of five (81%) IT managers across Europe are unfamiliar with proposals under the GDPR.
So what will the GDPR seek to achieve? In general terms, it aims to unify data protection laws to meet the challenges of the digital age and in particular, strengthen the protection of online personal data. It is also designed to create a more unified set of laws and regulations across the EU as the existing regime is currently very fragmented. This makes it difficult for organisations operating globally to fully understand their requirements and implement a process that works in all of their locations.
An important part of the Regulation is likely to be the ‘Right to be Forgotten’. When enacted into law, this will require all businesses handling EU residents’ data to delete personal information on request (or when it is no longer required by the organisation) and encourage the strict use of auditable deletion procedures for companies processing personal data.
While most of the 660 IT managers in our survey are not familiar with the GDPR, the research does show that 57% believe they will be directly affected by the new Regulation. Given the importance and potential impact of the new Regulation, this figure should be much higher. After all, organisations that handle personal data, whether it is for their employees or for their clients (which is likely to be pretty much everyone) will be affected by this.
Non-compliant businesses could receive significant fines, and are at risk of large scale reputational damage. Indications are that fines are going to be much greater than under the current Data Protection Act 1998, with data breach sanctions potentially ranging from €250,000 or 0.5% of annual worldwide turnover for less serious breaches, up to €100,000,000 or 5% of annual worldwide turnover for more serious infractions.
Nevertheless, according to the research, three out of five (61%) IT managers said that their organisations have not taken measures to achieve compliance with the pending Regulation, with more than half (55%) failing to review and adapt data destruction policies. A further quarter (25%) admitted to not having a process in place to deal with data destruction.
In our view, organisations still have a great deal of work to do to ensure they are ready for a much stricter data protection legal regime. Any business holding personal data on EU residents, be it online or offline, will have to abide by the new regime. Businesses have a lot of work to do in terms of educating their workforces to understand the implications of this Regulation for their organisations. clients and their employees.
As part of this process, it will be important for organisations to consider how they can demonstrate compliance with the Regulation on data destruction and erasure and complete a full audit of relevant processes.
Organisations need to carefully consider how to mitigate exposure and manage risk especially around recycling or destruction of hardware, i.e. when computers and devices (whether they are broken or old) are dumped without the data having been properly erased from them. A certified, full service data destruction and erasure provider can assist in the secure deletion of unrequired data, and will be able to offer the necessary tools and services to securely erase data from company servers as well as any other devices such as mobiles and tablets. Critically, certified providers will ensure that personal and confidential data does not fall in to the wrong hands ensuring that organisations are able to demonstrate to regulators that they have taken the correct steps to protect personal data.
In addition such providers can also assist with secure data erasure management services across the whole asset lifecycle for individual files and folders, laptops, flash media, mobile devices, servers and the cloud. Each erasure should provide a time-stamped, tamper-proof certificate for a comprehensive audit trail.
Whilst the final details of the GDPR are still being worked out and discussed between various EU institutions, the time is right for organisations to be assessing their existing processes by carrying out audits, and by making sure that they are capable of being compliant with a new stricter and thorough data protection regime.
Find out how to ensure that your company is fully prepared for the implementation of GDPR by attending the GDPR Summit Series, designed to help businesses prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at www.gdprsummit.london