Companies collect and process vast amounts of data on today's consumers; from where we live and the places we holiday, to our spending habits, and even the kind of coffee we prefer. Although data collection enables businesses to tailor offerings according to our preferences, these practices also introduce risk through increasing the exposure of our personal information.
Electronic information has become so portable; our private details can sit with many people and companies without our knowledge or consent. Complicating the matter is the fact many businesses are now trading across borders, and with many of the current data protection laws being country specific, they can be difficult to enforce in this computerised and highly inter-connected world.
An EU stance on data protection
The European Union (EU) has taken this issue seriously and is in the process of implementing a new Directive, dubbed the "Data Privacy Act," which will bring consistency to the law across EU member states. The legislation is expected to reach final agreement in 2015, and once it becomes EU law, companies will be legally required to adopt a modernised and comprehensive approach to data protection.
It is expected that companies will have approximately two years to achieve compliance, but since much of the framework is already in place at a country level, this timeframe may be shorter. However, global research commissioned by Compuware found that many European businesses are ill-prepared to adapt to these changes:
- 20 per cent of companies don't mask or protect customer data before providing it to outsourcers for application testing purposes
- 43 per cent of companies that share customer data don't understand current data protection laws and regulations
- 87 per cent of organisations that do not mask customer data before passing it to a third party rely on Non-Disclosure Agreements (NDAs) to protect their customers' data
The UK government estimates that the Directive will cost the country's economy £100 to £360 million each year, and this is just the basic cost to execute the law. Businesses should also anticipate increased costs to adjust their systems to comply with the law. And while these costs won't be exactly welcomed with open arms, companies that don't comply could face disastrous consequences.
Under the proposed Directive, a data breech due to non-compliance has penalties of up to EUR 100 million, or five percent of the offending company's annual global turnover. Currently, breaches in the UK can result in an ICO (information commissioner's office) fine of up to £500,000, but FCA (financial conduct authority) fines can be much higher.
Is the EU ready to comply?
It's imperative that businesses put together a well thought out strategy to minimise the initial costs of adjusting applications and practices to achieve compliance, prove and maintain compliance. There are five key steps that must be considered:
1. Understand how the legislation will impact upon the business
The first step is to identify the implications of the current, as well as the new legislation on the business' operations. This should include what changes need to be made and how this will impact upon overall IT spend. And the impact is both large and far-reaching. For example, many companies still use real (live) customer and consumer data in application development and testing, with little consideration for sensitive data protection. With the new legislation coming up, these companies will need to rethink their testing approach.
2. Analyse where personal and sensitive date resides
Before mapping out a technical solution, companies should carefully assess their data usage across environments to see where there is a risk for data breaches. In other words: who has access to what data and where is that data stored. It's important to note that the analysis of where personal and sensitive data resides, and how it interacts with other data, can take much more time than initially estimated.
3. Determine how data can be desensitised while still being of use
Once the location of the personal and sensitive data and potential security risks have been mapped out, it will be easier to decide how this data can be desensitised. Data anonymisation can be built into existing workflows and processes, or new workflows can be created from scratch to comply with the new regulations. This exercise will also help build the requirements for a third-party solution if required.
4. Develop the solution using the chosen toolset
When the requirements for a data privacy solution have been determined, it is time to actually develop the solution that will help keep data safe and remain compliant. A solution could be a new set of business processes, revision of data access rights, (test) data management technology, or a combination of these and other potential measures fitting to the situation and chosen approach.
5. Deliver the solution into the existing operational framework of the IT department.
Most companies need assistance in complying with current regulation, let alone preparing for the Directive. They need to assess capabilities and experience fully before making decisions and implementing them as mistakes are costly from both a project and fine standpoint.
While the European Commission progresses the Directive through Parliament, it is key that IT departments start planning now for how to adjust their systems to meet the new requirements. Ultimately, those who take the time to prepare now can reduce the burden on already strained IT departments, cut down the cost of compliance by reducing the learning curve, and most importantly, mitigate the risk of failure.
Dr Elizabeth Maxwell is the technical director EMEA at Compuware