01st June 2016
The extended EU data protection laws come into effect in 2018. It may seem a long way off. But, if you want to be certain your business is going to comply and avoid potentially hefty financial penalties, the time to start preparing is now
If your business collects, manages or handles personal data in any way, it’s highly likely that you’ll have to comply with the new General Data Protection Regulation (GDPR). The definition of what constitutes personal data has also widened, so should consider carefully the implications for your business.
The benefits and opportunities for companies are set to be numerous, with the new regulations acting as a key enabler of the Digital Single Market. Improved data security is, of course, a positive thing; it helps to mitigate identity fraud and reduces opportunistic cyber attacks.
As we are all represented in digital data terms now in some way, and anyone whose data is registered anywhere in the EU should benefit from GDPR. But safeguarding that data, including how it’s collected, managed and stored, is going to become a serious business issue.
What does this mean for businesses? It means internal IT security policies will require fundamental change. Non-compliance will incur potentially very heavy fines.
What is the GDPR?
The General Data Protection Regulation essentially re-forms the out-dated Data Protection Directive. It was adopted by the European Parliament on 14th April 2016, with a deadline for legal effect of 25th May 2018.
This new law is the result of a political agreement across the EU. Currently, businesses operating in the EU do so under 28 different data protection laws. This fragmentation puts expensive administrative obstacles in the way of business activities, particularly for SMEs, when they’re trying to access potential new markets.
The new regulations will establish a single, Pan-European law for data protection, bringing estimated benefits of €2.3 billion to EU companies per year. At the same time, GDPR gives individuals more control over what they do with their data.
For example, new data portability rights mean people can move their data easily from one service provider to another. Start-ups and SMEs will also be able to access data markets currently dominated by large enterprises, enabling greater competition across the European economic community.
Data security and current corporate culture
Compliance with GDPR is going to mean all companies will have to alter their data security practices to some degree. For many, it could mean radical changes to current policy and protocol.
Two years from adoption to law might seem like plenty of time for these changes to be implemented. But if your organisation needs to completely transform the way in which it collects and uses personal data, you’ll find it it isn’t long at all.
The main issue with compliance to this new regime is that entirely new data security and management behaviours must be adopted company-wide. Essentially, the whole of the European Union is moving from quite relaxed data protection rules to extremely stringent ones.
It will now be compulsory for businesses to be able to demonstrate how they comply with the GDPR. They must be able to show that they genuinely adopt governance and accountability standards and that they are taking data privacy obligations seriously.
Failure to meet these requirements will mean expensive fines: up to €20 million or 4% of annual worldwide turnover, whichever is greater.
Data breaches are a fact of life for all businesses
It doesn’t matter how big or small your business is, data breaches are happening all the time. Thinking you’re too small to be of interest to cyber attackers is extremely foolish.
If anything, recent trends show us that your association to a larger company is all it takes to make you an attractive target. And if your security policy is lax, you’re an easy target too.
Under the new GDPR a data breach will not only see you lose out in terms of profit and reputation, as it does at the moment. From 2018, all businesses will be facing those hefty fines too.
Larger firms tend to have better security measures in place. They recognise their target status and have the budget to assign dedicated staff to manage network protection. Cyber attackers know this, which is why there has been a sharp increase in attacks on suppliers to larger companies, rather than the larger companies themselves.
These smaller businesses are usually less well protected. Their networks can be accessed more easily and either mined for data relating to their large clients, or potentially used as an access point to larger networks.
What you should be doing now
By May 25th 2018, you need to be GDPR compliant and that process should already be underway.
Understanding how your networks can be breached and the kind of threats your business is facing is the first step. Secondly, you need to understand exactly who on your teams is accessing your networks and how.
Regardless of anti-virus software and passwords, your networks are only as safe as the weakest access point: that could be a careless person one time only, or an unsecured mobile device.
How prepared do you think your staff are for an attack? What would they do if, despite their best efforts to be secure, they unleashed a worm onto your servers? Do they know that even disconnecting their computer cable physically from the network might not be enough?
Would they be likely to hope for the best, thinking they’d pulled the plug in time? Or would they let someone know, just in case they’d opened a malicious looking email in error, at the risk of getting into trouble?
The GDPR is going to require a unified approach to data security, with all your teams working in the same way, to the same set of rules, all the time. You may think your firewall is your gatekeeper to your networks but that is not strictly true. Your staff are your gatekeepers and training them in secure practices is certainly something you should be looking into already.
Data security is not a one-time practice that you can then assume will be done forever. Threats change almost every day and your security policy must be updated regularly to reflect this.
Test your intruder prevention and detection. Is it good enough? Firewall-as-a-service is already being offered by forward thinking IT service providers. It is certainly worth considering as a means of ensuring the best possible software protection as it is updated almost constantly in line with the current threats.
Key steps to include in your plans:
- Engage an outside company to conduct a complete network security audit, including penetration testing. Understanding where you are right now in terms of network security is critical in being able to plan your next steps.
- Start improving staff awareness of security threats. Do all of your staff know the kinds of threats that exist? Do they know how malware can enter your networks? Would they recognise a malicious email?
- Plan training sessions or workshops to educate your staff on what to do if a breach does occur; who they should tell immediately and what actions they should take.
- Assess your existing security policy. How do you currently safeguard data stored on your servers? If a breach was to occur, what processes do you have in place to minimise data loss or damage?
- How up to date is your firewall, virus protection and any other anti intruder software? Have you considered the best way of making sure these stay up to date?
Many of the obligations you’ll face in GDPR compliance may be entirely new. Creating a solid foundation on which to build your new strategy and approach to data security is critical if you’re going to have everything necessary in place by 2018.