Tim Critchley – Chief Executive Officer
The start of 2016 has seen the European Parliament finally agree, if informally, to bring the much-debated Data Protection Regulation into effect in 2018. With a start date now in place, this announcement is likely to have businesses reassessing their data processes and clearly demonstrates the EU Parliament is very much putting citizens firmly front and centre. While some of the new measures have been criticised for being too tough, the Commission has sent a strong message that it will no longer accept lax security around EU citizens’ sensitive information. Evidently, the commission has stepped up to the plate to fight the battle on behalf of consumers.
Much of the discussion here in the UK has been about how much it will cost businesses. To bring a company in line with the updated laws, directors will need to create the role of data processing officer. Whoever holds this position will be free to give recommendations or feedback without fear of negative consequences, rather in the same way as union representatives. Companies will also need to show that they have the necessary framework in place to comply with the regulations, for example processes around data flows and access, governance, third party touch points, privacy policies and regular security testing. These simple requirements seem unlikely to total £300,000, which was the figure initially touted by the UK government as the average cost for a business to prove compliance. Yes, there may be initial outlays around the regulations, but in the long run, being able to show consumers that your company is as secure as possible will boost customer confidence and brand loyalty.
Having said that, fines surrounding a data breach have increased significantly. Since 2010, the Information Commissioner’s Office (ICO) has been able to fine companies up to £500,000 for breaches around data privacy or security, so by comparison the new penalties of up to 4 per cent of annual revenue or €20 million (whichever is highest) really do indicate the seriousness of the regulations. This may seem heavy-handed to some, but these new laws have been a long time coming and are finally catching up to the realities of operating in the modern technical world. No doubt the magnitude of the fines will make C-level executives sit up and take privacy and, by extension, data security, a lot more seriously.
The new laws will also require companies to report a data breach to the regulatory body within 72 hours. The EU Commission is sending a clear message that it will not accept any attempts by companies to hide an attack on data. The stringent timeline means companies cannot afford to drag their heels when securing information – IT teams and managers should be acting now to ensure they are adequately prepared to protect against, detect and then notify of a breach quickly and efficiently.
While the threat of a fine is certainly enough for people to take the new regulations seriously, the damage of a data breach to company image can’t be overlooked. After all, a brand is only as good as its reputation. In fact, our own research has shown that 86% of customers would not do business with a company that had seen data stolen or compromised. Having customers desert your brand in droves and watching sales plummet is only the tip of the iceberg though. Falling share prices, staff redundancies and store closures are also very real risks.
When it comes to fines, the new EU GDPR will impact not only data controllers (persons who determine the purpose and manner in which personal data is processed), but also data processors, (persons other than an employee of the data controller who process data on behalf of the data controller). Under the prior regulations only data controllers would have been fined. Suppliers frequently stand as the wall of defence against the theft of information and are therefore found to be the weak link in the event of a breach. Yet they have hitherto been largely immune to the consequences. Changes to the laws mean that security companies will also have to assume financial responsibility for any data breaches, adding to incentives for them to ensure that they have all the necessary industry certifications to prove they are up to the job of protecting data to the highest standard.
Ultimately, each individual company is unlikely to experience much impact on its day-to-day operations. But people need to start paying more attention to their flow of data: what data you actually capture and store, and what is happening to the information throughout the entire business.
To find out more about how the new EU General Data Protection could impact your company, click here.