As of 25 May 2016, businesses have just two years to become compliant with the EU General Data Protection Regulation (GDPR) or else risk large fines.
Organisations will need to take active measures to demonstrate that they are implementing "privacy by design” and mitigating any threats to personal privacy, since the new regulations hold them to account for their data practices.
So what do businesses need to do now to ensure they comply with this new framework? What should they be considering? As IT teams begin to grapple with the incoming regulations, we hear from industry experts to get their views.
Clarifying data regulations
Kate Lewis, head of data strategy at GBG, believes that the GDPR will clear up any previous confusion around country-specific data regulations.
“To date, organisations processing personal data of EU residents have had to deal with a patchwork of the 28 different national data protection laws. The GDPR, however, will bring much needed clarity to the data market. Individuals need to be clearly informed around how their data will be used, and this is especially true in today’s threat landscape. Every week we are faced with yet another news story about a high profile company experiencing a data breach in which sensitive and valuable customer information has been leaked onto the internet. Nowadays, businesses need to be using the data available to them intelligently to help protect their customers.
“This protection of individuals is at the heart of the EU GDPR, with a number of principles focused on the processing and maintenance of personal data stored within organisations,” said Lewis. “Of course, complying with these new regulations will not be without its challenges. Whilst for some companies it will be a change in mind-set from seeing compliance as a tick box requirement, others will need to take stock of all the customer data held within the business and decide which data to keep or get rid of. Businesses that take action now will find themselves in a much more advantageous position come 2018. Two years may seem like a long time, but it will pass us by faster than we know.”
The GDPR places the responsibility for personal data firmly with organisations themselves. Jon Geater, CTO at Thales e-Security, emphasises that this will extend to any data shared with other parties.
“Companies will now have an even greater obligation to protect the personal information entrusted to them, no matter how it’s processed,” said Geater. “The new rules also make clear another important factor that we should already have known: that you can outsource your risk, but you can’t outsource your responsibility. If organisations use a third party provider to store and manage data - such as a cloud provider, for example - they are still responsible its protection and must demonstrate exactly how the data is protected in the remote system.
"Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.”
Protecting the privacy of European citizens
David Mount, director, security solutions consulting EMEA at Micro Focus thinks that our perception of data protection and privacy will continue to develop, although only time will tell whether or not the GDPR is truly effective at protecting user privacy.
“The GDPR, which becomes law today, is set to have an enormous impact on organisations operating in the EU. Companies now have two years to comply with the legislation so it will be interesting to see where they go from here. What’s clear is that they need to take action now to ensure they understand the data they hold and how they use it.
“Businesses should limit access to data to only those who need it and ensure good data hygiene by keeping authentication practices up to date. Historic data could pose an unnecessary risk, so it may also be worth deleting this to lower the potential impact of any security breaches.
“The next two years will see some technical and judicial challenges for companies in the EU, so it’s important that they start to educate themselves now about the steps they should take to ensure compliance. For the consumer, now accustomed to hearing about breaches in the news on a daily basis, the impact of the measure remains to be seen. We’ll start to see the consumer perception of data protection and privacy develop over the next two years, and it will soon become clear whether or not the GDPR has the desired effect in Europe.”
Taking control of the cloud… and quickly
What steps can IT take to manage information securely and wrest control of both structured and unstructured data?
“Organisations have two years from today to comply with the regulation, which probably sounds like plenty of time, doesn’t it? Well, not if you ask IT teams...” said Eduard Meelhuysen, VP EMEA at Netskope. “Recent research from YouGov and Netskope found that almost 80 per cent of IT professionals in medium and large organisations are not confident of ensuring GDPR compliance in time for the May 2018 deadline.
“As a starting point, organisations should take a hard look at how their data are shared and stored, focusing in particular on any cloud apps in use across the organisation. The GDPR makes specific provisions for unstructured data of the type created by many cloud apps, data which are typically harder to manage and control. That means organisations need to manage employees’ interactions with the cloud carefully as a key tenet of GDPR compliance.
“As cloud app use continues to increase within businesses, data will become harder to track and control. But with the GDPR instigating a maximum possible fine of 20 million euro or 4 per cent of global turnover (whichever is higher) in certain cases, there is now more incentive than ever for companies to focus on data protection. Getting a handle on cloud app use will be a crucial part of ensuring compliance for any organisation, and IT teams will need to start work now to meet the May 2018 compliance deadline.”
Moving beyond data residency
Only addressing the challenges of the GDPR from a data residence perspective is incomplete at best, said Dave Allen, SVP & General Counsel at Dyn.
“While some Internet companies have begun to address new challenges at the fixed locations where data is stored – this alone will not necessarily be enough to ensure compliance. Those companies focusing solely on data residency may well fall victim to a false sense of confidence that sufficient steps have been taken to address these myriad regulations outlined in the GDPR.
“As the GDPR will hold businesses accountable for their data practices, businesses must recognise that the actual paths data travels are also a key factor to consider,” said Allen. “In many ways, the constraints which come with the cross-border routing of data across several sovereign states mean these paths pose a more complex problem to solve.
“Although no silver bullet exists for compliance with the emerging regulations which govern data flows, businesses which rely on the global Internet to serve their customers should be seriously considering visibility into routing paths along both the open Internet and private networks. As we enter an era of emerging geographic restrictions, businesses with access to traffic patterns in real time, in addition to geo-location information, will find themselves in a much stronger position to tackle the challenges posed by the GDPR.”
The legal implications
How does the GDPR compare to the previous regulations? Nicola Fulford, head of data protection and privacy at Kemp Little considers the major changes which businesses need to bear in mind.
“Despite a number of high profile events and cases occurring during the GDPR’s legislative life-span, including the PRISM revelations, right-to-be-forgotten cases and the Schrems judgment with the resulting EU-US Privacy Shield, the text and structure of the GDPR still bear resemblance to the Data Protection Directive 95/46/EC (the “Directive”) albeit with a number of headline changes.
“Perhaps the most significant of these is that firms offering goods or services to EU residents or monitoring their behaviour will need to comply with the GDPR, regardless of whether the firm is based in the EU. It is worth noting that, in the event of a vote for the UK to leave the EU in the referendum in June 2016, the impact of the GDPR may be reduced, although many UK firms are likely to be caught by the extra-territoriality requirement, and will therefore need to comply with the GDPR regardless of the outcome of the referendum.
“The GDPR also introduces data processor liability for certain data protection requirements, including data security, sub-processing, record keeping and data breach notifications, among others. Data controllers must report data breaches to their supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
The implications of a Brexit scenario
With the EU Referendum less than a month away, Deema Freij, global privacy officer at Intralinks considers the potential effects of a Brexit on companies struggling to guarantee compliance with the GDPR.
“According to research we carried out with Ovum recently, two thirds of global companies will review their business strategies in Europe in light of the GDPR, and more than half of businesses (52 per cent) expect to be fined due to breaches of regulations. The upcoming referendum on EU membership offers an additional twist. Should the country vote for Brexit, it’s worth considering how a UK government disconnected from the EU would re-evaluate its data protection law without the GDPR or any other European directive to guide it.
“If the UK were to leave the EU, it would be some time before global and UK companies would know what to do around the issue of data transfer. Any practical guidance would be unlikely to arrive immediately and, during that time, many companies could be unknowingly operating against the law, leaving them with a number of critical legal issues, and increasing the risk of data breaches.”
“In addition, organisations will now have to provide citizens with online access to any their own personal data they store. While the Data Protection Act traditionally allowed anyone to request access to this data, with GDPR in effect organisations must make this available for download ‘where possible’ and ‘without undue delay’.
This is a very significant change and securing this access will represent a significant challenge to many organisations – especially while still complying with the new tighter rules – and will require robust cybersecurity technology across the board.”
Image source: Shutterstock/Maksim Kabakou