An average of 59% of senior UK IT managers in large enterprises believe the proposed new EU data protection framework will cost their business more money, a survey has revealed.
Only 11% said costs would go down, while 23% expected it to stay the same and 7% were unsure, according to the SecureData EU General Data Protection Regulation UK Enterprise Inquiry.
Retail, distribution and transport sectors were the most concerned, with 72% saying it would cost them more, followed by financial services (56%), and manufacturing (44%).
Security and compliance officers need to begin assessing the risk presented to their organisations, said Etienne Greeff, managing director of SecureData.
The draft proposals require organisations to notify data protection authorities and affected data subjects within 24 hours. Nearly two-thirds of respondents said this would help improve business and security processes, and 58% said it would improve data protection.
But 40% expressed concern that it would advertise security weaknesses before an appropriate security review could be completed, 36% feared "false alarms" from pressures to notify of data breaches quickly, and 14% said it could reduce the possibility of catching data thieves.
Raise awareness of security responsibilities
SecureData recommends setting up security forums to grow awareness of IT security, the proposed EU data protection laws and associated risks; developing an incident response plan that includes notifying the relevant authorities; and building a digital forensic capability to catch data thieves and help build stronger defences.
Identify the most important processes to improve and balance this cost against the proposed fines for data breaches to build a business case
Etienne Greeff, managing director, SecureData
"Organisations should [identify] the most important processes to improve and balance this cost against the proposed fines for data breaches to build a business case," said Greeff.
The draft proposals enable data protection authorities to fine companies that violate the EU data protection rules up to €1m or 2% of their global annual turnover.
"This should make it easier to justify investments in information security, but it should also encourage businesses to make information security a standard element of all business processes," he said.
Outsourcing security roles
The draft proposals require all businesses with more than 250 employees to appoint a data protection officer, but more than a quarter of respondents said they envisage their enterprise outsourcing this role. However, Greeff said this figure will come down as EU requirements become clearer.
The survey also found that firewall and network managers are the most likely security roles to be outsourced (35%), but only 8% in financial services would consider an outsourced chief information security officer (CISO) compared with 28% in the manufacturing sector.
SecureData said organisations should regularly evaluate what makes sense to keep in-house and what services are better outsourced to an expert third party, and consider outsourcing the CISO function to save costs.
Compliance is a growing challenge
One of the controversial proposed requirements promises internet users the "right to be forgotten", that would allow people to ask for data about them to be deleted. Organisations will have to comply unless there are "legitimate" grounds to retain the information.
Carl Shallow, head of compliance at SecureData, said the new internet economy is vital to Europe’s economic recovery and the need for increased data protection must be finely balanced with freedoms for technological and business model innovation.
Enterprises must identify exactly what is sensitive data and where it resides, because there is frequently an abundance of "lost" unstructured data siloed across IT estates, he said.
Enterprises must identify exactly what is sensitive data and where it resides, because there is frequently an abundance of "lost" unstructured data siloed across IT estates
Carl Shallow, head of compliance, SecureData
The proposed new EU data protection framework, said Shallow, is an ideal opportunity for businesses to review data governance procedures and management solutions.
Compliance with the proposed new EU data protection laws and a growing list of other regulations is becoming increasingly important for a more and more people within UK enterprises, said Greeff.
The survey revealed that 31% of respondents frequently have some responsibility for IT compliance, 41% regularly have to work on IT compliance issues, while 6% said it was the main focus of their job.
"This is a much higher proportion than just a year ago, when only around 20% said they had "regular" responsibility for IT compliance," said Greeff.
The survey highlighted that dealing with compliance issues is not the preserve of a few individuals, and that senior IT managers across organisations have to understand and deal with compliance requirements, he said.