Yesterday it was announced that the European Parliament officially approved the new Global Data Protection Regulations (GDPR), unifying Europe’s multiple data protection regulations into one common law.
Various industry professionals have offered their thoughts on the news, which has signaled the start of a new era for data protection.
Nigel Hawthorn, chief European spokesperson for Skyhigh Networks:
“This is great news for EU citizens, as they will have strong and clear rights over their personal data. Some organisations have in the past treated personal data as a cheap commodity but this regulation clearly shows how valuable data really is. Firms must now pull their heads out of the sand and adopt stronger measures to ensure data is treated with respect.
“Perhaps EU Parliament members are Star Wars fans, as companies have until 4 May 2018 to ensure compliance – 750 working days - so they need to get a move on. The changes may cause headaches for the IT department, compliance teams and even CEOs. Business leaders should put a value on data about themselves and their family and embrace this legislation because the outcome is that all of our data will be safer.”
Mark Thompson, privacy lead in KPMG’s cyber security practice:
“It has been a long time coming; with more suggested amendments than any other EU regulation, we are finally there. The EU has finally herded the cats up the hill which sends a firm message to businesses that privacy is at the forefront of the EU’s mind, and organisations need to take action to address their privacy risks.
“The approach of the GDPR provides a risk based application of a "one size fits all" set of rules across the EU and recognises the different levels of privacy risk associated with SMEs and large global organisations. Privacy will be catapulted up the list of global organisations’ enterprise risks, requiring them to re-evaluate take action.
“For non-EU businesses that trade in the EU, this agreement will require some to re-think some of the activities they carry out in the EU. This makes it much harder to operate certain “global” services and will require them to truly put an EU lens on the business activities which are undertaken in the EU market."
“It’s clear that by the time the regulation comes into play in 2018, for a number of organisations, there will be a lot of work to do.”
Ross Brewer, vice president and managing director of EMEA at LogRhythm:
“While we’re still two years away from these laws coming into play, it is a huge step forward in the fight against cyber criminals. I’m sure many positives will come from these updated regulations, such as companies having to appoint a data protection officer if they are processing sensitive data at scale, as well as liability for data breaches extending to any data processors used by a data controller – both of which are logical changes in strategy if companies are truly serious about their cyber security.
“However, I’m sure the items that are really causing companies to sit up and take note is the threat of hefty fines and the small breach disclosure window. To comply with this, organisations will need to take urgent steps to ensure that they fully understand and have clear visibility into all network activity at all times. Without such pervasive insight, it can be near impossible to detect, analyse and report a breach in just 72 hours.
“This new regulation is being called the biggest shake up to EU data laws in the past 20 years – and they’re probably right. If organisations continue to plead ignorance when it comes to IT security, they will sadly suffer the consequences, which are getting more and more severe.”
Iain Chidgey, VP and General Manager, International at Delphix:
"The EU General Data Protection Regulation (GDPR) is a call to arms for organisations. One of the EU's most heavily contested legislations, its controversial requirements threaten significant penalties for businesses worldwide that are non-compliant with data protection rules.
"However, it also offers hope by introducing a ‘carrot’ and ‘stick’ approach. A ‘carrot’ recommending ‘pseudonymisation’ to ensure personal information is no longer identifiable - reducing certain obligations on those who follow this approach. A ‘stick’ in the form of a threat surrounding the penalties for businesses that are non-compliant.
"For many enterprises, this will mean re-architecting operations to accommodate a data-first approach. The first step will be understanding where all the data sits. The second step will require technology that has the ability to scale and protect all data.
"For many, this will require an investment in new technologies that combine virtual data with data masking, meaning organisations can pseudonymise data once and ensure all subsequent copies have the same protective policies applied. Only by taking this course of action, can organisations future proof the business from costly data breaches and ensure compliance with all elements of new and impending regulation.”
Louise Bulman, Vice President & General Manager, EMEA at Vormetric:
“These new regulations are bound to have a significant impact – after all, potential fines of up to four per cent of global turnover for non-compliance will hit many unsuspecting organisations hard. As such, businesses will need to immediately begin taking steps to ensure watertight compliance, including investment in security technologies such as transparent encryption with access control, to reduce the risk of falling foul of the new laws.
“Understandably, for some, updating their IT infrastructure in this way will prove challenging – there are a number of things to consider first, including financial and time constraints. With only two years to achieve compliance, businesses must now ensure that they have a thorough understanding of what the new laws mean to them, and what measures must be put in place.
“Time is ticking away and the sooner companies start understanding and implementing adequate security measures and data encryption, the sooner the customers’ minds can be put at rest, knowing that the necessary precautions are being taken to keep their personal information out of the wrong hands.
The GDPR is a step in the right direction and will hopefully bring about a much needed wakeup call to organisations currently sleeping on essential security requirements.”