Next year new data protection legislation comes into force across Europe. The EU General Data Protection Regulation (EU GDPR) replaces current EU and national data protection legislation and will apply from 25 May 2018.
The reform aims to standardise regulations across all EU member states and strengthen online privacy rights. Its predecessor, the EU Data Protection Directive, has been in place since 1995 and required a re-think given the technological changes that have taken place over the last 20 or so years.
However, with little over a year to go, the vast majority of businesses are yet to properly prepare for the changes – and at over 200 pages long, there’s a lot that needs to be thought through. The regulation covers everything from data portability to consent for data collection.
However, one of the most important changes that requires some very serious consideration is around data breach reporting. As part of the new laws, businesses will have just 72 hours from discovery to disclose a data breach incident and will face hefty fines – up to four per cent of the company’s global turnover – for failing to adequately secure the data in their possession.
The financial repercussions of data breaches are already escalating – as shown by the fact Verizon wiped $350m of Yahoo’s acquisition price – and for many organisations, this kind of financial loss could be devastating.
While getting prepared for the EU GDPR will no doubt cause some headaches, it should be acknowledged that, in the long run, it will establish greater security practices across the board.
In recent years both the frequency and severity of data breaches has skyrocketed and the impact – both on businesses and their customers – is following the same trend. What this means is that adequately protecting data can no longer be an afterthought but must be a priority, and the EU GDPR will go a long way in ensuring this happens.
The role of technology
Technology will clearly have an important role to play in ensuring compliance with the EU GDPR, but in the event of a breach, it will also now be the difference between potentially ruinous fines and reputation damage, and coming out unscathed.
As part of the new legislation, businesses must be able to prove they have “… appropriate technical and organisation measures to ensure a level of security appropriate to the risk, including encryption of personal data”.
Additionally, and critically, “Notifying data subjects about a breach of their personal information is not required provided the data was protected by technical and organisational measure, ‘in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption’.”
In short: Encryption is now a necessity for every business.
However, no two organisations are the same and before any decisions about technology can be made, it’s important to assess what your current IT landscape looks like, what data you hold and what needs to be put in place for compliance.
Tackling the EU GDPR one step at a time
(1) Assess the risks posed to sensitive information by understanding how your organisation processes and handles data
This internal review should cover all procedures at all levels of the business, looking at the types of information that employees create or receive from clients / third parties, who has access to this within your organisation, and the tools used to share sensitive information both internally and externally.
(2) Educate end-users
Not only should this be carried out as a best practice exercise, but it should also directly relate to the results of your internal audits. If employees are using tools like Dropbox without express permission from the organisation or are sending sensitive information via plaintext email, then it’s important to work with them to help them understand the threat this poses and the repercussions that will occur should this lead to a data breach. Additionally, effort should be made to thoroughly train staff to use the data security tools available to them and to motivate them to use this technology by, for example, making adherence to data protection policy a subject in performance reviews.
(3) Support employees with smart technology
Organisations also need to acknowledge that today’s increasingly complex IT environments do not lend themselves to a one-size-fits all approach, so security solutions need to offer the necessary levels of flexibility, be that email encryption, large file send or secure online collaboration. Greater protection can also be applied by taking decision-making away from individual end-users. Rather than rely on a member of staff to decide when an email or file should be secured, by centralising policy-based control, using the specific content of an email as a basis for security, decision-making is less open to error.
It may seem overwhelming, but tackling the EU GDPR strategically and logically will make the task more manageable.
Starting the process early will also avoid any unnecessary pressure when decisions are being made, and will give you time to source the tools and partners that are best placed to fit your needs.
Tony Pepper is co-founder and CEO at Egress