The deadline for compliance with the new General Data Protection Regulation (GDPR) is fast approaching and the regulation will come into effect on May 25 this year. The new rules apply to all companies that store and/or process the personal data of EU citizens irrespective of where those companies are located in the world.
Until the GDPR comes into force, the EU will continue to rely on the 1995 Data Protection Directive, which suffers from varying levels of enforcement across the EU. GDPR will ensure all countries comply with the same comprehensive controls so that the personal data of European citizens has a consistent level of security and protection across each country.
>See also: The multinational impact of GDPR
Whilst a number of organisations will have spent countless hours preparing for the deadline, many others are still in the dark about the requirements. Confusion around the regulation seems relatively consistent. Research from Apricorn in March 2017 found a significant gap in the understanding of what is required to comply. While 24% of surveyed organisations were not even aware of the GDPR and its implications, 17% were aware, but had no plan for ensuring compliance.
Organisations should now be on the home straight as the deadline approaches, but the myths surrounding ‘grace periods’ after the May 2018 deadline and the suggestion that organisations will only be penalised in the event of a data breach are not helping.
Steve Wood, head of International Strategy & Intelligence at the Information Commissioner’s Office (ICO) has hopefully quashed one of the rumours with his speech noting that “You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy”. The ICO plans to focus on risk, and while it will be happy to work with organisations in areas that seem unclear, there will be no grace period.
In response to the second point, the directive is not about when a breach happens, and how an organisation responds, but is focused on a proactive defence such as security by design to minimise the risk of people’s personal data being compromised in the first place. And the onus of GDPR on businesses is significant. Non-compliance can come at a huge cost, with fines of up to 20 million Euros or 4% of a company’s annual global revenue, whichever is the greater.
If organisations are systematically unable to demonstrate that good data protection is a foundation of their business policy and practices, a fine is highly probable. Despite this, a survey conducted by YouGov found that 71% of organisations haven’t realised they will be heavily fined if they fail to follow the guidelines.
Whilst GDPR does cover some existing ground, there are a number of new principles and compliance requirements. Organisations will need to review their existing processes and contracts, and potentially put in place new practices in respect of privacy, data protection and security.
Gartner predicts that by the end of 2018 more than half of companies affected by the GDPR will still not be in full compliance with its requirements. If organisations want to get all their ducks in a row, the following steps should be considered:
The main intentions of GDPR are the protection of an individual’s personal data and to give them more control over it The EU defines “Personal Data” as “any information relating to an individual, be it related to private, professional, or public life, and ranging from a name, or email address, to bank details, and posts on social networking site”. GDPR has extended this definition to include data sets such as ‘genetic data’ and ‘biometric data’, as well as IP addresses and cookies where they relate directly to individuals.
Under the new rules, EU citizens will many more defined rights over their personal data. The reason for collection of their data and how it will be used and stored must be clear and their consent must be explicit and recorded.
>See also: The hidden opportunities in GDPR
EU citizens also have the right to demand their data in a portable format, and the right to request that all their data is deleted from the system. Businesses must have systems and processes in place to comply with these rights and many will need to appoint a dedicated data protection officer.
GDPR requires that organisations should be able to trace all personal data, and understand where it resides and how it’s used, yet thirty 8 percent of surveyed respondents believe they have no control over where company data goes and where it is stored (according to Apricorn).
As part of the new GDPR requirements, organisations will need to document exactly how data is processed, stored, retrieved and deleted through its lifecycle to determine where data security processes may be failing and to address any gaps. Individuals and teams will be challenged to provide clear oversight on data storage, journeys and lineage, demonstrating that they are limiting who has authorised access to certain information, and why.
Considerations over how data is protected outside of central systems should also be front of mind. Data transferred outside of the network or between systems must be secure. Hardware encrypted USB devices can provide the necessary encryption capability embedded within the device. Organisations should be utilising and enforcing the use of these devices across the organisation.
To encrypt or not to encrypt?
GDPR Article 32 states that data encryption is a means to protect personal data and that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data”.
Additionally, Article 34 notes that if a breached organisation “has implemented appropriate technical and organisational protection measures such as encryption”, it can avoid the regulation’s breach notification requirement to contact each individual affected and the resultant administrative costs.
Organisations cannot afford to be complacent and a robust cyber security process is essential. Using encryption to protect sensitive data on the move and at rest is a sensible move in line with the guidance given in these two articles.
Educate, educate, educate
Whilst having the right tools and policies in place is imperative to GDPR compliance, ultimately it is the users that pose the biggest threat. Employees need to be educated about their responsibilities and understand the legislation and its consequences. Training should be offered and policies should be created and enforced, particularly when data is taken beyond the network perimeter.
The time is now for organisations to ensure they are prepared and have the foundations in place to be compliant when the regulation comes into force, thereby significantly reducing their chances of financial penalty should they be audited as non-compliant or, in the worst case, suffer a data breach.
Sourced by Jon Fielding, managing director EMEA of Apricorn