tashka2000 - Fotolia

GDPR highlighted on Data Protection Day

Businesses dealing with EU citizens' data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017

Data Protection Day 2017 is being widely used to highlight the importance of preparing to comply with the European Union’s General Data Protection Regulation (GDPR).

In 2006, the Council of Europe decided to introduce Data Protection Day on 28 January each year to raise awareness about the risks associated with sharing personal data, best practices for data protection and what can be done if privacy rights are breached.

Data Protection Day, or Privacy Day, is marked globally with data protection initiatives and events by governments, parliaments, national data protection bodies and other stakeholders.

With the GDPR becoming enforceable on 25 May 2018, Data Protection Day has greater resonance, with the new legislation set to have a dramatic impact on businesses around the world that process the personal data of EU citizens.

“To make certain of compliance with the GDPR in time, organisations need to take action now to ensure they are capturing, integrating, certifying monitoring and of course, protecting their data,” said Patrick Booth, vice-president for UK and Ireland at data integration firm Talend.

“Data Protection Day is an invaluable reminder of the importance of being prepared because there is a lot to do. Businesses will need to track and trace how potentially sensitive data is managed and used across the whole information supply chain,” he said.

According to Booth, with the volume, variety and velocity of data growing fast and cloud proliferating, it is increasingly difficult for IT departments to take total ownership on the protection of personal data.

“Businesses need to establish a collaborative approach based on a data-centric shared platform for delegating accountability and responsibilities. This in turn requires enterprise-wide data governance that allows them to know where their data is and exercise better control over it,” he said.

GDPR compliance driving 

However, Booth said that while GDPR compliance might appear as a constraint on businesses, it helps drive best practice in data integrity, quality and governance, and represents a great opportunity to deliver customer-centricity and trust.

“So this year’s Data Protection Day, should act not just as a warning sign to businesses but also a positive reminder of just what they could achieve by taking proactive action now to get a better handle on their data, manage it more effectively and ensure the highest possible levels of governance, privacy and protection,” he said.

Mike Simmonds, managing director of  network analysis and management firm Axial Systems said the data security landscape has undergone seismic upheavals in recent times with the advent of bring your own device (BYOD) and the internet of things (IoT) revolutionising the way company data is accessed and moved from location to location.

“Many businesses have achieved enhanced productivity and greater operational efficiency as a result, but it’s also critically important that they keep their eye on the ball when it comes to the security of their data. The pending GDPR legislation is helping here, with significant fines for non-compliance and the threat of reputational damage helping to concentrate minds,” he said.

No business can afford to neglect the key issue of keeping their data secure, said Simmonds. “Data Protection Day has played a key role over the last decade in raising the profile of this vital topic, and it is a great idea to use a single day to highlight the crucial importance of keeping data secure both when at rest and when in motion.

“But my message to businesses is to never let your guard down, no matter what the time of year,” he said. “Remember data security on the day itself, of course, but don’t forget about it on the other 364.”

Read more about GDPR

Data Protection Day is a timely reminder that, if businesses have not already begun, they need to start planning now for the GDPR, said Anthony Merry, director of product management at security firm Sophos.

“In less than 16 months, businesses need to be fully compliant with the GDPR,” he said. “It might still seem like a long way off, but it’s going to take some companies a long time to get ready if they currently have nothing in place to protect customer and employee data.

“Privacy isn’t something that can be accomplished in a day. It takes time to put the right processes in place and establish the right mindset throughout the business.”

Fines to be imposed for data loss

In the past, companies have largely got away with losing customer or employee data, but the new legislation will give authorities the power to impose large fines which, for a small company, could wipe out the business.

“It’s these companies that are most at risk of not being compliant in May 2018, especially since the EU authorities are likely to make an example of any companies suffering a breach once the GDPR comes into place,” he said.

Merry expects to see a gradual increase in companies looking at encryption technologies in the second half of 2017 as businesses start to take the GDPR seriously, with heightened awareness and interest early next year as companies scramble to be ready in time.

A first step towards compliance

To mark Data Protection Day, (ISC)2, the world’s largest body of information security professionals has announced that its GDPR Task Force has published a guidance tool that organisations can use as a first step to making sure they comply with GDPR by May 2018.

The organisation’s EMEA Advisory Council’s international GDPR Task Force consists of members and consultants from around the world who are actively charged with implementing GDPR to track and curate front-line experience with the compliance effort.

The task force aims to share best practice to help all organisations comply and understand the new regulation.

“First observations from our group reveal that too many projects are falling at the first hurdle, with implementation teams unclear on or unable to secure business support, or the budgets needed for compliance,” said (ISC)2 in a statement.

“Tackling this common problem is the first step to ensuring businesses across the globe have the processes in place to deal with these new recommendations.

Read more on Privacy and data protection