The EU's General Data Protection Regulation is expected to be passed within the next two years – although it's looking increasing unlikely that it will be this year. Draconian measures are expected: proposals include fines of up to two percent of annual income or 100 million euros/dollars for failing to protect EU citizens' personal data, and a shift from a self-regulated environment to an enforcement regime which will affect any organisation storing personal identifying information on European citizens.
According to the Varonis survey, 48 percent of organisations would be able to report a data breach within the required 72-hour deadline with 31 percent also claiming they were not prepared for the legislative changes.
The survey, which was carried out at the CeBit event in March, also suggested that banks would be the first to be fined, although David Gibson, VP at Varonis thought that they would be the companies best able to handle the fallout from any breach. “Banks typically have the best protection and reporting so if they do have a breach they will be well placed to reduce the fine by meeting the reporting deadline,” he said.
He suggested that other industry sectors were in bigger trouble. “There are many other sectors that are not as used to operating within a 72-hour breach notification regime that will be unable to respond in time unless they start to invest in new people, processes and technology now,” added Gibson.
The lack of preparation, however, is seen as concerning given the way in the European Union has been open in its intention to push for a change in data protection. Gibson said “Organisations need to invest now in the technology to detect and mitigate a breach before the legislation comes into force. An area that is often overlooked is the sensitive unstructured data stored in documents, files and emails without any control or visibility of who is accessing them."
The new legislation could force companies to rethink strategy when it comes to data collection. “Most organisations aren't tracking the usage of unstructured data and that's causing them trouble. Too many have users who have access to too much data. The new legislation is forcing organisations to take a look at what they're collecting it, who's using it and how to delete data once it's been used," he said.
Lawyers have expressed concern at the lack of preparation by organisations. Conor Ward of Hogan Lovell said he wasn't surprised that companies would struggle to deal with an incident. “Once a breach is suspected, it can take some considerable time to actually find out what has happened. During the first 72 hours it is quite likely that the company will have little detail to enable it to provide an accurate and meaningful report. Indeed, whilst the company may know that their systems have been compromised, they may not know what data has been affected."
Meanwhile, Mark Deem, a partner at Cooley LLP, said, “Companies would be well-advised to take a new and holistic look at the way data is captured, retained and processed within their organisations from a legal and technical point of view. Not only will this ensure that they are well positioned to meet the new requirements, but a thought-through framework based upon advice could prove to be a valuable point in mitigation should any fine be proposed, by demonstrating a clear move beyond tick-box compliance to the formation of a robust environment for its data."