Industry pros react to new EU data protection rules

Following this morning's news that the European Union (EU) has agreed strict rules on data protection, various industry professionals have offered their thoughts

Andy Herrington, Head of Cyber Professional Services, Enterprise & Cyber Security, UK & Ireland, Fujitsu:

“The news that new EU Data Protection regulations are likely to be agreed upon should be largely welcomed, as it will promote consistent data protection requirements in each country and a single reporting and compliance regime. The changes are intended to keep up with a shift in which more data is kept in the cloud and therefore managed by a third party away from the original business that collected it.

“According to research from Fujitsu, 80 per cent of IT decision makers believe more stringent data protection laws are needed in this data-driven world while nearly two thirds (61 per cent) welcome larger fines for data protection negligence and would like to see them introduced.

“This new EU Data Protection regulation will help businesses become more proactive with regards to their hosting and data storage strategies. It means that service providers will be able to fulfil their role as a data processor, protecting the information it handles and stores on behalf of its customers, who as owners of the data, remain the data controllers. The tougher fines and raised awareness should also drive a much better understanding in the C-suite, and wider business, of what data is held, its value to the business and the controls required to protect these valuable assets.”

Matthew Fell, Interim Chief Policy Director, CBI:

“Business supports a digital single market in Europe which works for both consumers and business, increasing jobs and growth as part of a reformed EU. Data is fundamental to delivering this and while the protection of that data is absolutely essential, these measures miss the mark for both businesses and consumers.

“From driving research and development in healthcare to powering our free social media and search platforms, data analytics is a vital part of modern business. This new legislation could hamper that with unnecessary administrative burdens and costs, like mandatory data protection officers, placed on firms of all sectors and size.

“Businesses now need clarity from policymakers and regulators on what actually applies to their business so that they can mitigate the burden and cost of compliance as quickly and effectively as possible.”

Nigel Hawthorn, chief European spokesperson, Skyhigh Networks:

“This is an early Christmas present and we welcome the GDPR text publication. Consumers are rightly concerned about their private information being lost by organisations and it’s great to have clarity on the regulations. Now enterprises and cloud service providers worldwide need to study them and ensure that their procedures and technology are in place to conform.”

Dr Elizabeth Maxwell, EMEA Technical Director, Compuware:

“The new rules coming into force with the agreement of the EU Data Regulations pose a major challenge for all companies that collect and store personal data. First and foremost is the need to be in control of where any personally identifiable information (PII) resides within their systems. This might sound pretty simple, but it’s far from it; organisations not only need to consider their own back-end databases and backups, they also need to consider any data being used by outsourcers, partners or cloud service providers they’re working with.

"In many cases, data could even be in use outside of the EU – in the systems of an outsourcer developing mainframe applications for the business, for example. This would instantly create a breach of the new EU regulations unless the proper controls were in place.”

Tony Pepper, CEO, Egress Technologies:

"This regulation is set to really shake things up forcing companies to scrutinise how they process and handle data. In particular, the ruling that they must report breaches 'that are likely to harm individuals' has the potential to expose a swathe of breaches that are currently being swept under the carpet - and the corresponding fines are likely to be keeping a few CFOs awake at night!

"Now that a decision has been made, boards across Europe need to immediately start planning and implementing the right processes, training and technologies to protect the entire lifecycle of their data so they’re prepared for when the regulation is enforced. We can see from previous breaches, that it is the small slip ups, caused by human error, that have been the most common and largely the most damning. These are the errors that, until now, some organisations have not necessarily had to confess to.

"The weakest link in the chain is your workforce and even with the best technology and will in the world, changing habits and getting user buy-in takes time - so you should start now. Matching security policy, with user training and education, alongside smart, user-intuitive technology is the only way forward."

Richard Brown, Director EMEA Channels & Alliances, Arbor Networks:

“The new agreements around the EU Data Protection Act should make it simpler for cloud providers operating within the EU, but the initial barrier to this lies in the understanding of this new legislation. Changes to the definition of what is and is not personal data, the need for ‘explicit’ consent for data-collection and different documentation requirements all need to be interpreted, and any relevant changes made.

"Some of these changes may incur additional costs to business, while others may reduce overall expenditure, like the unification of regulation. But getting a good understanding of this will be a work-in-progress for many organisations.

“As with all regulations it is important that organisations maintain their focus on the ‘goal’, rather than purely on compliance. The impact of data-breaches on both business and the end-user can be significant and businesses need to ensure they are protecting themselves and their customers, not just trying to comply with the legislation.”

Steve Murphy, Senior Vice President and General Manager EMEA, Informatica:

"The latest agreements on EU data protection rules should raise a red flag to all components of the data supply chain. Far beyond the traditional realms of financial penalties, this latest development could threaten businesses’ viability.”

"In a data-centric era where big data fuels all interactions, UK business should be in a strong position to combat a crisis, yet security practise is wildly behind. In fact, recent research from the Ponemon Institute indicates that only a quarter of UK businesses can discover and classify confidential data in the cloud and less than 45 per cent for data on premise.

"Compliance with these new mandates can only be enforced if companies know where within their data stores person-specific data resides. At the heart of achieving this is understanding where applications create sensitive information in databases and how that information is proliferating as it's used by line-of-business applications, cloud services and mobile apps.

"Only then can businesses visualise where sensitive data resides - regardless of whether it’s inside or outside of the corporate perimeter, and secure information at its source”

Image source: Shutterstock/Maksim Kabakou