By Shane Lewis, Information Security Manager
With the EU General Data Protection Regulation (EU GDPR) creeping ever-closer, recent figures released by the should set alarm bells ringing for big businesses. The organisation reported that, had the new legislation already been in place in 2016, data breach fines doled out by the Information Commissioners Officer (ICO) could have soared from £880,500 to a staggering £69 million. Doing the maths, that’s an increase of almost 8,000%!
While these figures have been criticised by some in the infosecurity industry as being overblown and representing the upper limit of the fines that could be imposed under the EU GDPR, companies should nonetheless take them as a serious warning sign. It’s true that your business might face less stratospheric fines in the face of a data breach, but you can be sure your customers will punish you just as drastically. Your company’s reputation is key to its existence and any damage to it is likely to see your loyal customers walk out the door, which is where the true financial consequences will be felt in the long term.
So, what do you need to know about the EU GDPR to start preparing?
The EU GDPR officially comes into effect on May 25th 2018. Here are a few key pieces of information you need to know, to get up to speed with what it will mean for your company.
The current legislation in place – the UK Data Protection Act (DPA) – means that the ICO is only allowed to hand out fines of up to £500,000 for data breaches, nuisance calls and misusing customer data. Following the introduction of the EU GDPR, the body can fine companies up to €20 million, or 4% of group turnover, whichever is the greater value.
Security by design
The GDPR requires that privacy is included in systems and processes by design. This means you should be using IT solutions that have been built from day one with data security as its core foundation.
Defining ‘personal data’
A key point of the EU GDPR, which will have a significant impact on organisations from a range of industries, is the redefinition of what constitutes ‘personal data’. Sets of information that were previously not covered under the DPA, for example cultural, economic and social details, will become governable under the new regulations.
The regulation will require companies to explicitly ask for consent from consumers to use their personal data. As part of this, before asking for details, businesses will need to clearly outline to consumers how much of the data they intend to keep on file. And in the event of an audit by the information controller, companies must be able to prove that they have valid consent from consumers to use this personal data.
The right to be forgotten
To comply with the regulations, companies must also give consumers the ‘right to be forgotten’. This means that if a customer decides they no longer want to share their data, they can ask for it to be completely erased from the database.
What you can do to be prepared
So, given that the EU GDPR is going to make the job of securing data even more complex, every business should be taking steps to ensure they’re on the right side of the 260-page regulatory reform come 2018. Here are my tips on how you can prepare.
- Data discovery
With only 12 months until the regulation is rolled out across the EU, the first crucial step is to map not only where your data is currently being stored, but also what types of data your organisation holds. Undergoing a comprehensive data audit will help you ascertain which pieces of information need to be protected under the new regulations, and which fall outside its remit.
- Assemble your EU GDPR team
The EU GDPR is complicated. It will require experts from across the organisation to come together and decide best practice for a particular company. This team might also include third parties, such as security providers or cloud companies that are tasked with protecting and storing customer data. But most crucially, you will need a data privacy officer (DPO). A DPO can advise on the processes that need to be in place to ensure current privacy policies are either sufficient to match the requirements of the EU GDPR or how to bring the policies up to date with the regulations.
- Become an expert in security ‘language’
If you’re going to be able to operate effectively once the EU GDPR is fully implemented, you need to understand the basics when it comes to data protection lingo. And this knowledge must be extended to all staff, including new recruits. For example, people need to know the difference between pseudonymisation and anonymisation, and what it means when someone refers to the ‘right to erasure’.
- Look beyond your borders
Do you have operations overseas, for example, that collect information about EU citizens? Don’t be fooled into thinking this data is outside the remit of the EU GDPR. Any organisation that collects data about European citizens falls under the new regulations.
The big picture
Ultimately, the GDPR’s aim is to protect the privacy of citizens. If you suffer a data breach, you’re going to have to prove that you’ve done everything you can to protect personal data. The best approach for information like payment card numbers and banking details is to not store it in the first place. After all, cyber criminals can’t hack what you don’t hold. With your business and reputation on the line, make sure you fully understand what these regulations mean for you.