The European Parliament recently passed the new General Data Protection Regulation (GDPR). If you don’t know what this is yet, then you should, as it is one of the most important legal changes of the 21st century.
The GDPR basically brings data protection legislation up to date and in line with current technologies. And it puts the onus squarely on companies and organisations that hold personal and sensitive data to be fully responsible for protecting that data. And with less than two years before the new EU rules come into force, it’s absolutely vital that companies know what this means for their business.
The topline news is that the 25th May 2018 is already being referred to as the “D-Day for security” with the latest EU data protection rules specifically designed to protect European citizens’ personal data in our digital, always-on age of smartphones, social media and remote working. Even though the UK voted to leave the EU, some UK businesses need to be aware they are still on the same timeline for the upcoming GDPR, regardless. UK organisations that are dealing with the data of EU customers and companies will have to ensure that they’re fully complaint with the regulation or face fines as a result.
It’s taken over four years for this extensive and complete re-haul of the incumbent EU data protection directive, which was originally put into place way back in 1995. A time when many of us old enough to have been of working age still didn’t have email addresses and mobile phones, let alone Twitter handles, smartphones and access to 24/7 always-on internet banking!
A new era of data security and protection
We live in a completely different era than we did twenty-one years ago, particularly when it comes to data security and protection. Back in 1995, data breaches and identity theft were not widespread, mainstream problems. And many of us still did our banking face to face, often being on first name terms with our local or business bank managers.
It’s easy to see, put in that context, why so many look back on the pre-web, pre-mobile era with rose-tinted nostalgia spectacles. We didn’t have to worry about data theft, hackers, cybercriminals or even need to remember countless different passwords for our various online social, email, bank and other accounts and services.
There is a reason why companies hold so much data on us, in terms of financial data and records of our consumer behaviour and lifestyle habits. It’s so those same companies are able to deliver better products and services targeted to our individual wants and needs. We share our personal data because it benefits us. And there is a trade-off between the amount of personal data we are willing to share with a company and the quality and convenience of service we expect from them in return.
It is also why the colossal amount of data collected, stored and accessed by businesses and organisations is incredibly valuable and, should it be hacked and get into the wrong hands, can (potentially) be extremely distressing for consumers and citizens.
Security can no longer be an afterthought
We will take a closer look at the main aspects of the new EU regulation that businesses, organisations and institutions need to be immediately aware of below. Firstly though, the most important thing to know is that all companies will now have to notify both authorities and affected individuals when a data breach occurs, meaning that companies who previously ignored or just swept these breaches under the carpet will no longer be able to do so.
At this point, it should also be stressed that the GDPR has been specifically designed to benefit European citizens and businesses alike. Businesses just need to be aware that there are very high penalties for any organisations that don’t comply with the new security regulation. This means that data security can no longer be an afterthought, because if a major hack or data breach occurs, then it could well hit your bottom line hard.
If your company is hacked and deemed to not have implemented sufficient compliance measures - such as end-to-end security process reviews and putting the correct data protection measures in place - the proposed fines are going to be harsh. The regulation recommends up to four per cent of your annual worldwide turnover or €20 million, whichever is greater. The necessary changes that business must make to avoid being hit with such penalties may well feel like a big change. And, for those that haven’t yet properly implemented proper end-to-end security and data encryption measures, it most likely will be a big change. But the important thing for businesses to understand is that the regulation has also been devised to benefit them in the longer term, as they will no longer have to deal with different regulations from each of the 28 member states.
Security and data protection must now be seen as a high priority for all European businesses. The facts speak for themselves. According to the Breach Level Index over 700 million data records were compromised last year as the result of 1,650 data breaches, so the new EU Data Protection Regulation is clearly a significant step forward in protecting European citizens, as well as giving them far more control over their personal data.
Many in the business community still have their heads in the sand when it comes to learning about and understanding the data privacy and data protection laws that apply to their companies. This ignorance will be far from bliss for those folk, if they don’t wise up very quickly and accept that GDPR is going to affect almost every area of their enterprises. Two-stage authentication, proper data encryption, intelligent encryption key management, all of these techniques and security technologies are essential for compliance with the GDPR. And these are not things you can start to think about next year, because the clock is ticking!
The countdown begins now. Businesses need to get their data security strategies in order or face the prospect of a major data breach and the huge commercial penalties that the GDPR is soon to introduce. Not to mention the immense loss of consumer trust in your brand.
You have less than two years to future-proof your data privacy processes. Be warned!
Jason Hart, CTO, Data Protection at Gemalto
Image source: Shutterstock/Sergey Nivens