Earlier this month, European Commission VP Andrus Ansip and commissioner Vera Jourová issued a joint statement to say ongoing negotiations on the planned data protection reform will conclude before the end of this year.
The reform, currently known as the General Data Protection Regulation (GDPR), is part of Article 8 of the European Convention on Human Rights. It sets out to effectively modernise data protection rules, across the 28 member countries of the EU, to catch up with the digital age.
The EU believes that data protection reform will cut red tape for business and ensure a single set of rules.
>See also: Most organisations are still unprepared for new EU data and security laws – report
Who will the GDPR impact?
The GDPR will impact any organisation that gathers, processes and stores personal data. It defines personal data as any information about an individual, whether it relates to his or her private, professional or public life.
It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer’s IP address. There may be an exception for employee data, which could be subject to individual country regulations – this is still to be determined.
So, in effect, the GDPR is likely to affect any business that operates from within the EU, does business with organisations within the EU, or stores its data in EU member countries.
How will the GDPR impact business?
The regulation is designed to address blurred lines around the protection of personal data. It is expected to address globalisation and developments in how businesses use, share and store data. For instance, it will tackle data protection in relation to social networks and cloud computing, including secure file transfer and the right to be forgotten.
The development of public, private, government and hybrid cloud computing services has complicated data storage and processing over the last 20 years. The GDPR will help by clarifying the responsibilities of organisations relating to the data they handle and store, thus making it easier for both European and non-European companies to comply and avoid penalties.
Currently, each member country has its own data protection authority. In the UK it is the Information Commissioner’s Office (ICO). Because the current GDPR draft is a regulation rather than a directive, it means it will directly apply to all EU member states without any national changes in legislation. There will be one single Data Protection Authority (DPA) responsible for each company, depending on where the company is based.
The GDPR will also have a significant impact on non-European companies that trade in the EU, reflecting that in today’s age, business has become borderless.
Are businesses prepared for the GDPR?
According to a recent Ipswitch survey of 316 European organisations, more than half (56%) of respondents could not accurately identify what ‘GDPR’ means. Over half of respondents (52%) admitted they were not ready for GDPR, and over a third (35%) confessed to not knowing whether their IT policies and process were up to the job.
Despite the lack of awareness of regulatory change, when asked about priorities for 2015, only 13% said they planned to spend more time understanding and preparing for regulation. A quarter (26%) said they wanted to spend more time reviewing and tightening security policies and a further quarter (26%) said they wanted to be able to spend less time on manual reporting and auditing.
In addition to testing the readiness of IT professionals, the survey also revealed that very little thought has been given to whether an organisation’s cloud service provider (CSP) is ready for the change. Although 79% of those surveyed retained the services of a CSP, only 6% of them said that they had thought to ask them whether they were ready for the GDPR.
What are the consequences for non-compliance
Whilst there are organisations and resources out there to help businesses to prepare for the change ahead, the responsibility for compliance – and penalties for non-compliance – fall firmly with each individual organisation. This applies whether or not organisations use an IT partner or CSP for their data needs.
Currently the GDPR includes a stringent data protection compliance regime. Article 31 sets out requirements for mandatory notification of a data breach within a set timeframe. That timeframe is currently looking like it will be set at 72 hours.
Non-compliance with the GDPR will have fierce consequences. It is currently cited that there will be penalties of up to €100 million or up to 5% of worldwide turnover for organisations in breach of its rules. This far exceeds most local data protection penalties in member countries and could be the difference between make and break for many organisations in the UK. It’s a penalty too far to ignore.
>See also: EU Regulation: time to act on corporate data protection
So how can businesses prepare for the GDPR?
GDPR includes an obligation to protect personal data across borders. IT professionals should review and bolster their data processing policies and practices now, before the regulation comes into effect.
Organisations will need to consider if and how they change the way they collect, process and store data. They will also need to consider who within the organisation is responsible for ensuring compliance.
1. Appoint a data protection officer
It is likely that the regulation will require a data protection officer to be appointed within most organisations. Whilst many corporations already have someone appointed for this role, small and medium enterprise currently doesn’t.
The GDPR is likely to insist a data protection officer is appointed for businesses with less than 250 employees if they work with over 5,000 personal data records in any given year. For the smallest of businesses, it may well make sense to outsource this to consultants.
Making a person within an organisation responsible for ensuring compliance is the first step for any business. However, they will need the support of a board
2. Research how the GDPR applies to your business
There are resources out there to help a data protection officer understand and plan for the GDPR. For instance, the Association for Information and Image Management (AIIM) lays out the changes that organisations will need to abide by in its report ‘Making sense of European Data Protection Regulations’. There are 11 key areas outlined that range from gaining consent to collect data, to fully documenting any breach.
3. Benchmark compliance
There are practical steps that can be taken now to ensure that policies, procedures and technologies run by organisations are up to the job of complying with the GDPR. However, first it will need a good understanding of how its organisation would rate for compliance.
Contracts with data processors and CSPs need to be reviewed too. Organisations need to set out to understand exactly where their cloud data is hosted and understand how it is backed up and encrypted.
4. Make policies and embark on change
Once a clear perspective of the implications of the GDPR is achieved, then the next step towards compliance is through policy. Buy-in must come from the very top of an organisation. All current policies that touch data will need to be updated, and the necessary changes made within the business to ensure compliance. This is likely to impact every department from IT, operations and HR through to finance and sales.
For instance, not only do organisations need to put in place a clear privacy policy to be provided to anyone it holds data on, but they also need to be able to provide them with a copy of their personal data in a format that can be easily electronically transmitted. Organisations will also need the capability to delete all customer data on request under the ‘right to be forgotten’.
5. Get the EU seal of approval and constantly review
Once confident in their systems and procedures, organisations will be able to apply for an EU Data Protection Seal, which will be a five-year certification of their processes.
Sourced from Alessandro Porro, Ipswitch
