It’s been an interesting few months for the United Kingdom and Europe.
As we enter the second half of 2016, not only did we make an early exit from the Football Euro’s but we also took a majority vote to leave the European Union (EU).
These headlining news stories have somewhat overshadowed yet another very important EU topic – the fast approaching EU Data Protection Regulation (GDPR) which will replace the now redundant Data Protection regulation from 1995, which is no longer relevant in today’s cyber age.
While elements of the country’s future currently appear uncertain, what businesses can be confident in is that the
UK will still need to meet the requirements of the GDPR, which will affect organisations of all sizes.
Now is the time, if they haven’t already, for businesses to prepare for the inevitable.
The purpose of the EU GDPR
This change in EU data regulation has eventuated to form a single data protection regulation with an appropriate financial incentive, to ensure that all businesses remain compliant.
Currently, there are a myriad of regulations in place across the current EU member states that have limited reach, and most either have a minor financial penalty for not adhering to them, or none at all.
Further to this, the enforcement of this regulation is recognition by policymakers that relevant data is in fact used outside the current EU boundaries.
In a growing digital-first age, customer data is created, collected and stored everywhere.
So in an effort to protect the privacy of all citizens, the new regulation will apply across all borders, regardless of where the actual processing of the data takes place.
But most importantly, the EU GDPR is applicable to any organisation that holds EU citizen data – even organisations that are based overseas are still liable to the new regulation.
From May 2016, any organisation found to be in breach of the new EU GDPR will be subject to fines of up to €20 million or 4% of the organisation’s annual global turnover.
Depending on the size of the business, these fines could damage the financial stability of the company and this, coupled with the reputational fallout, could see the business facing bankruptcy.
While the new GDPR regulations have gone through multiple reiterations and include a vast amount of detail, they cover four key areas that organisations need to be aware of.
A single data regulation for protecting all EU citizen data across current member states and globally. The aim of the updated GDPR is to standardise and strengthen the current privacy laws and to be consistent among the current member countries.
All data relating to an EU citizen is considered ‘personal’ under the new EU GDPR, regardless of where a EU citizen is located or if they have been identified directly.
All businesses have to disclose a data breach within 72 hours of discovering the breach, this disclosure must include detail on what data has been lost and how this will affect the citizens affected by the data breach.
The financial consequences of firms breaching the new EU GDPR are fines of €20m or 4% of annual global turnover – whichever is greater.
Yet some organisations are still neglecting the necessity to address the new EU GDPR, whether it’s because they thought the EU referendum would affect the implementation of the legislation, they might not think it applies to their business or are delaying addressing it as it doesn’t fall into this financial year.
How businesses can prepare
For an organisation to adhere to the new EU data regulation, they first need to identify the key data that they need to protect, understand where it resides and understand what value the data has.
Additionally, and perhaps most importantly, companies need to evaluate who has access to this data.
Once this is established, the organisation needs to create a security strategy and policies that will enable them to not only protect this data but also secure access to it.
Once this is understood then further solutions can be implemented to secure the data, from cutting edge, next generation firewall solutions to data loss prevention tools, ensuring the integrity of the data.
Identity and access management solutions and multifactor authentication will also allow for the governance and control of the user access to on-premise and cloud services.
Finally, encryption technologies will maintain the confidential nature of the data as lost encrypted data is considered a secure breach under the EU GDPR, doesn’t have to be disclosed and is not bound by any financial penalty.
Plan to be compliant
Having clear laws with safeguards in place is more important than ever given the growing digital economy.
While on the surface these new regulations might seem overwhelming or even a hassle, they are in fact necessary to protect the data of citizens across Europe.
Planning ahead is the best course of action for any business.
2018 might seem a way off, but we are already halfway through 2016 and, before we know it, the new legislation will come into effect.
Addressing the EU GDPR now will allow businesses to budget and prepare, taking manageable steps to ensure a compliant business environment that will help protect the company from the potential fallout of non-compliancy.
Sourced by Stephen Love, security practice lead, EMEA, Insight