Dutch businesses unaware of impact of new data protection law

The European Commission is set to introduce data protection rules, but few Dutch companies are aware of the impact the changes will have, according to Sophos managing director Peter Lacroix

Relatively few businesses in the Netherlands are familiar with the planned General Data Protection Regulation (GDPR) for Europe, according to Pieter Lacroix, managing director for the Benelux region at security firm Sophos.

“The old European data protection law dates from 1995 and while nothing has changed in the legislation in the past 20 years, the world around us could not have revolved faster,” he says, referring to the popularity of smartphones and the breakdown of office walls with the ability to collect, store and share data throughout the company.

According to Lacroix, there is a lot of pressure in Europe to pass the legislation quickly. It is not yet clear when it will be implemented, but it is expected to be in 2015.

“In the European Parliament, there was a 95% vote in favour of the new data protection rules. This shows that the law is going to be here anyway, which will have major consequences for businesses in Europe,” says Lacroix.

Proof of encryption

The law will require each company to protect the data of customers and employees, with all information that can identify an individual falling under the new rules.

“Companies must take ‘appropriate’ security measures to protect their privacy-sensitive data. That, of course, is rather vague language, but that's because the next act should hold for a few years. What is appropriate today might not be appropriate in 10 years or so,” says Lacroix.

He believes that, in our increasingly digital society, data is the new gold. Not only is a lot of data collected, but it is also shared, stored in the cloud and used on mobile devices, which are all possible risks, according to Lacroix.

“When you have a company with thousands of people walking around with laptops, it is not a question of if, but of when, one gets lost,” he says.  

Under the new legislation, the business is responsible for the loss of the laptop and must have proof that the security of the laptop was in order at the time of the loss or theft. 

“Many companies forget that part. They use encryption, for example, but have no reporting tools that enable them to demonstrate what exactly is encrypted and because the burden of proof will lie with the organisation, reporting tools are indispensable,” he says.

Data protection worryingly low

Many organisations still have a long way to go before they can meet the requirements of the coming legislation, says Lacroix. Sophos research shows that slightly less than half of the 1,500 respondents are unaware of the data protection policy of their organisation – a key element of the new legislation. It was also revealed that only 51% of company laptops are encrypted.

“Lost or stolen laptops are the most common source of data breaches, so this is a very alarming rate,” says Lacroix. 

The most worrying result is that only 23% of those surveyed protect their customer and employee data, according to Lacroix.

“This protection applies not only to inspection from the outside, but also from internal inspection. Organisations need to think carefully about who can see what data. In nine out of 10 companies, the system administrator can see everything. That sounds crazy, but it is the reality in many organisations. 

“And what if parts of a business are outsourced? Who has access to all the information on the servers? Who is responsible if something goes wrong and privacy-sensitive data is on the street? A lot of companies are completely unaware of that,” he says.

Data protection officer

Large organisations are usually well aware of the impending changes. Instead, the great ignorance lies with small and medium-sized enterprises (SMEs).

“A bakery or a bicycle shop that has a laptop with customer addresses, but is also used privately, falls under the same rules. If [the owner] loses the laptop on holiday, then they can look forward to high fines,” says Lacroix.

But such companies fall foul not only of European law, but Dutch legislation – reflecting the importance the Dutch government places on privacy and security. 

The Bill on notification of data leaks was passed on 26 May 2015 and obligates Dutch businesses to report data breaches. It states that if a company loses sensitive information, it should immediately report to the regulator and the person whose data has been leaked. 

The law also provides for penalty powers to be imposed by the Dutch Data Protection Authority for all possible violations of the law, with the data protection authority able to impose fines of up to €810,000 or 10% of annual turnover.

Another measure that might greatly affect SMEs when passed in the GDPR is the requirement that each organisation appoint an officer responsible for data protection. This applies to all companies that have more than 5,000 personal data records. 

“A small organisation that receives a few cents a month from around 10,000 people is already covered by the scheme. This could include a freelancer who has built a successful app, for instance,” says Lacroix.

Tooling and awareness

Sophos is currently trying to shake up the market and make organisations aware of the coming legislation and the impact of those rules. 

“Organisations need to ensure appropriate measures are combined with a clear data protection policy,” says Lacroix. 

In reality, he says, many companies hide behind often obsolete codes of conduct, but they are difficult to maintain in a mobile and digital economy. 

“You can say to employees that they can’t save anything in the cloud, email themselves or save any customer data to a USB stick, but in reality, when it works efficiently and conveniently for the employee, they’ll just do it anyway. Code of conduct or not,” he says.

According to Lacroix, there is a need for tools that, besides automatic encryption, also provide reporting capabilities. He also advises organisations to work on awareness among staff. 

“You do that by insisting on the importance of good passwords and on locking the PC when an employee leaves their workplace and consistently showing what you expect from your employees. 

“Someone who signed a code of conduct 10 years ago on joining the company can probably no longer remember what was in the code of conduct. Repetition is essential for awareness. Only through the combination of tooling and awareness can companies best protect their data,” says Lacroix.

Free check and template

To help organisations raise security awareness, Sophos has developed a free online check for companies to ascertain how much risk they run when the revised data protection rules come into effect.

The service also provides tips and advice on how data can be protected and how data breaches can be prevented. For companies that have outdated codes of conduct or none at all, there is also a downloadable template on the website as an example of a data protection policy.

The final negotiations of the proposed GDPR took place between the European Commission, the European Parliament and the European Council on 24 June 2015.

These three-party negotiations, known as the trilogue, are expected to conclude by the end of 2015 with the adoption of the regulation.

At a press conference following the first trilogue meeting, all three European institutions reiterated their resolve to reach an agreement by the end of 2015 and set out a series of meetings to finalise any outstanding points.

William Long, partner at law firm Sidley Austin, points out that the GDPR will apply not only to businesses based in the European Union (EU), but also to those outside the EU that process personal data collected through offering services or goods to citizens in the EU or from monitoring their behaviour.

This means the regulation will apply, for example, to a business in the US that collects personal data on its EU customers through its website. 

The European authorities want to make sure businesses comply with the detailed data privacy requirements under the GDPR, with data protection authorities in EU countries to be responsible for enforcement, including fines. In addition, the GDPR will adopt a so-called “one-stop shop” approach where a business will be subject to the supervision of a lead data protection authority in the EU country where it has its main establishment. 

With only a few months to go before the expected adoption of the regulation, Long believes it is important businesses in the EU and outside of it gain an understanding of the effect the GDPR will have.   

Read more about GDPR

Read more on Privacy and data protection