The coming EU General Data Protection Regulation (GDPR) has much to offer businesses, but there is no time to lose in getting ready, says security firm Websense.
“Businesses need to reorganise to take a risk-based, data-centric approach to data protection as soon as possible,” said Neil Thacker, information security and strategy officer for Europe at Websense.
There are several benefits to the proposed legislation, but to tap into those positive aspects, businesses should start work now to ensure they comply, he told Computer Weekly.
Although some businesses have started preparing, Thacker said many are still waiting for the final draft of GDPR before taking any concrete action, including coming up with a compliance strategy.
“Waiting until a final version is agreed may be too late, because although businesses could have up to two years to comply, that may not be long enough to refocus the organisation on data and risk,” he said.
According to Thacker, businesses need to ensure they understand who owns the data in the organisation and that they are working with their security teams to ensure personal data is protected adequately and has appropriate security controls around it to meet core EU data protection principles.
“All businesses should already have started communicating with their board, legal department and data protection officer about formulating a risk-based, data-centric strategy,” he said.
Although the core principles are unlikely to change under the new regime, businesses must be prepared for bigger fines or penalties for non-compliance.
“Whatever the final percentage of global annual turnover the fines are set at, for larger UK firms it is likely to be greater than the current maximum of £500,000,” said Thacker.
In the past, larger companies have tended to accept the risk of a £500,000 fine rather than review and amend their business processes.
“The fines under the new rules will be significant for any organisation, and so now every business should be adapting their processes to ensure they can comply with the new rules,” said Thacker.
Read more about proposed EU data protection laws
- More than half of EU companies do not know about legislation planned to unify data protection laws.
- Only half of UK IT decision-makers are aware of the coming EU Data Protection Regulation, compared with 87% in Germany.
- The vast majority of cloud providers are not yet prepared to meet the requirements of the new EU General Data Protection Regulation.
He recommends every business to ensure it has processes in place to:
- Inform people that their data is being collected and for what purpose.
- Guarantee that data is used only for the stated purposes.
- Ensure that personal data is kept safe and secure from abuse, theft or loss.
- Inform people of any third parties who have access to the data being collected.
- Enable people to access their personal data and correct any inaccuracies.
- Provide ways of holding data collectors accountable for adhering to data collection principles.
- Ensure that no data is transferred to a country outside the EU that has inadequate data protection.
However, Thacker said not all the effects of the new rules will be negative. “Having just one set of rules for all EU countries will make life a lot simpler and easier,” he said.
The biggest benefit of the proposed changes, said Thacker, will be a clearer understanding of what is required across all 28 EU member states with a single, standard regulation.
Thacker believes the new rules will enable businesses and empower data protection officers, who will no longer have to come up with 28 different policies and strategies to comply with local laws.
“Even the penalties have a positive side because they will make it easier for CIOs and CISOs to make business cases for investing in data protection technologies, training and processes,” he said.
According to Thacker, some CISOs are “excited” by the prospect of being able to express non-compliance with data protection laws in financial terms that the business will not be able to ignore.
Versions of the new EU data protection regulation to replace the outdated 1995 directive have so far been approved by the European Commission and the European Parliament.
However, a version is yet to be formulated by the Council of Ministers, and only then will the final version be hammered out by all three groups.
Many do not expect this to be done before January 2016, which means the new law will not be in force until 2018, but lawyer Stewart Room has warned that EU regulators are already acting as if the new law was in force.
Like Thacker, Room says organisations cannot afford to wait until the final version is agreed, and in the light of recent rulings in the EU, companies that have failed to act may already have missed the boat.
Read more on Privacy and data protection
British businesses need to be prepared for post-Brexit changes to our data protection laws
Privacy Shield: Companies face new hurdles to legally transfer data to the US
Schrems v Facebook: European court strikes down EU-US Privacy Shield agreement
EU court opinion finds EU-US data transfers lawful but raises questions over Privacy Shield