A new set of Global Data Protection Regulations (GDPR) was officially approved by the European Parliament last month, in what was described as a watershed moment for enterprise IT.
So, just how serious are the new regulations and what do they mean for both small and large businesses? We spoke to Mark Lomas, a senior consultant within Capgemini’s cybersecurity practice, to find out.
- The approval of new GDPR regulations has been heralded as the start of a new era for data protection. Do you agree?
Certainly. For any organisation processing personal data, the General Data Protection Regulation (GDPR) is big news as it covers a wide range of issues relating to personal data including privacy, monitoring and security.
Personally, I see the GDPR as the biggest legal change of the digital age, bringing data protection into the 21st Century and harmonising legislative agendas across the continent – a significant first for data protection. The directive that the regulation replaces was implemented differently between member states. The regulation will be common across all states.
It’s also worth remembering the scale of the impact the GDPR will have. Although it is a European regulation, its remit covers any organisation that provides goods or services to customers within the EU, or any company that gathers information concerning EU residents. Therefore, its impact will be felt on a global scale.
- What are the main challenges now facing companies?
Many organisations are just beginning to get to grips with personal data capture and use. As a result, the sophisticated level of monitoring and policing required under the GDPR will really stretch companies’ existing capabilities and will require a high level of expert advice in order to achieve full compliance.
The GDPR has also introduced a number of requirements that may be particularly challenging for businesses. The more difficult requirements which must be understood and acted upon include:
- Data breach notification – organisations must publish their security failings
- Data portability – the need for organisations to offer individuals their personal data in a legible electronic format
- The anonymisation and pseudonymisation of personal information - the separation of data from direct identifiers
- Data encryption - ensuring all personal information is protected, both in transit and at rest.
- How quickly do companies need to move now that the new regulations have been approved?
This all depends on your starting position. Businesses starting from a very low baseline of compliance will need to begin auditing their processes right away to ensure there is sufficient time to implement the wide-ranging changes required with regards to how they process, secure, protect and report on the stored personal data of customers.
However, business that have already started to assess and implement the required changes are in a strong position. That said, these businesses shouldn’t be complacent as data processes should be at the top of the CIO’s agenda until the regulations come fully into force.
- What are the implications for businesses if they are not compliant in time?
The cost of non-compliance is extensive. Organisations could face fines of up to 4 per cent of global turnover for the previous year – a devastating amount for a business of any size.
- Do you think there's a danger that smaller companies with less resources will struggle to cope?
Some elements of the GDPR regulations, such as requiring businesses to gather explicit consent from customers to use their data, will inevitably hinder smaller companies. Companies outside the EU may be surprised at this additional burden. However, with a proper transition plan in place, the effects of these more burdensome aspects can be decreased.
The first thing any small business should do is to fully understand how the GDPR will impact them in particular, and to carry out a full assessment of what requirements apply to them in order to fully understand the areas which present the greatest risk to their business
For small businesses, the efficiency with which the GDPR transition is handled will be crucial. Therefore, SMEs should consider appointing a project owner who can oversee the move to GDPR-readiness.