The EU GDPR aims to herald a new era of “privacy by design”, intended to bring about a change in mindset in the way companies handle their customers' data and making companies more accountable for their actions to consumers.
GDPR stipulates certain measures that can be carried out to avoid needing to report data breaches - such as data pseudonymisation and encryption, which must be accompanied by continuous testing and assurance the data still is secure - otherwise all breaches must be notified to the relevant authorities within 72 hours. This has made companies question everything from the visibility they have of their own estate, to the basic of procedure of who would do the actual notification.
Istvan Lam, co-founder and CEO of Tresorit emailed SC to say that: “The GDPR is a key step towards protecting the personal data of people and keeping the right to privacy in mind all the time. Complying with the new regulation is not easy for companies who store personal data in the cloud, but encryption simplifies the process a lot.”
There are a number of changes brought about by the GDPR, such as the requirement toIndividuals or “data subject” also suddenly gain a lot more power over their information. Consumers have the right to choose whether they want to be marketed to, AND will have the power to ask for their data to be removed from a company's system.
In an emailed comment, Dr Jamie Graves, CEO at ZoneFox, said "The GDPR is a game changer in every way, from bolstered rights for individuals through to a daunting new fine structure designed to hit companies exactly where it hurts – their bottom line. It is the sort of overhaul that gives even the most seasoned executive team sleepless nights, due to its complexity and how it touches on every aspect of their business.”
Are companies preparing?
Since the GDPR was given an enforcement date, SC has seen many surveys which claim that changes to the way companies operate to accommodate for the GDPR are happening at a slower pace than expected.
Varonis recently announced in a press release findings from a survey by VansonBourne which says: “75 percent of organisations confess they will struggle to be ready for the deadline [of the GDPR]. 42 percent say that it's not a priority for their businesses”.
Varonis adds: “UK respondents are more pessimistic than their peers around the globe about the impact of the regulations on businesses, but more positive about its impact on consumers: 61 percent believe that as consumers they will benefit from their own personally identifiable information (PII) being better protected. Only 37 percent think it will reduce breaches (versus 53 percent of Americans)”.
This is worrying considering that under GDPR, the fines for a data breach are up to either €20 million, or four percent of global annual revenue.
However, the UK's governing body for data breaches, the ICO, has never dealt the £500,000 cap fine possible under the current data protection laws. The most it has given is £400,000 to telecoms company TalkTalk which had customer information stolen from its systems by teenagers.
Contrary to many shocking stats of GDPR unpreparedness, at yesterday's Kaspersky Lab UK roundtable on the GDPR, Sue Daley, head of cloud, data, analytics and AI at techUK said that although this may be the case, most techUK members are now moving from an awareness mindset, to an understanding and ‘doing' one and are starting to understand and implement the changes required.
Daley said that although Brexit, raised doubts for some, companies would need to comply with GDPR; it was most certainly not getting in the way of preparation as the Department for Culture Media and Sport announced the GDPR is here to stay,l bringing the UK up to a required standard for data flows in and out of the trading block.
Daley also noted the fact that the Information Commissioner's office had over 300 responses to GDPR guidance to do with consent.
It's not all doom and gloom, but act fast
Speaking at a recent SC Media UK roundtable on the GDPR, Mark Watts, partner at data protection specialist law firm Bristows said the biggest challenge for companies under the GDPR are subject access requests (SAR), where an employee would ask for all data the company holds on them.
Watts warned that typically these take six weeks to turn over, and of course, with an unstructured data format such as emails, the challenge here is “how to deliver it”. Often, emails will contain data that is not about the person making the SAR or may contain private company information, which the subject of the request is not entitled to. The challenge then is combing through the emails and picking out only that data which is about the subject.
Speaking directly with SC in a telephone interview, Matt Lock, director of sales engineers at Varonis, said that, “Achieving full GDPR compliance is a manageable and possible target. What I'd say companies need to focus on is breaking it down into smaller steps so it doesn't feel like such a Herculean feat.”
Lock added: “The GDPR will force companies to organise their data estate which has been operating for a long time. This change should hopefully ‘turn on the lights', giving visibility to issues in the company's day to day operational activities. This is starting to happen in companies I interact with, but some aren't quite there yet.”
In an emailed comment to SC, Greg Day, VP and CSO EMEA at Palo Alto Networks remarked how both cyber-security and business leaders should be bold in their plans for the upcoming GDPR.
Day said: “This is one of the most significant events to happen in cyber-security history, and paves the way for security professionals to implement significant changes across their organisations. These new regulations will cover a range of industries and sectors – some of which may be more adaptive to innovation than others – and will present their own challenges.”
He added: “But we see this as an opportunity to embrace a completely new mindset and help drive an entire organisation towards a state of the art cyber-security outcome that's not simply a tick-box exercise in regulatory compliance by totally changes how effectively organisations prevent and mitigate cyber-attacks more successfully.”
Eduard Meelhuysen, head of EMEA at Bitglass told SC in an emailed statement: "To make a company's IT infrastructure GDPR-compliant, the IT department should work closely with management to draw up a directory of procedures. The directory should summarise how customer, personal and company data is collected and handled. Personal data includes details such as an IP address, by means of which a customer can be identified. Similarly, businesses that utilise the cloud must identify all customer data that moves to and from the cloud, and figure out how it's protected once there. This will be things like content data that's transferred into email cloud applications, or traffic data that's moved by certain website analysis tools. This too should be put in the directory.”
Bertrand Liard, partner at global law firm White & Case, who heads up the Paris IP and IT group, told SC in an emailed statement: “With more and more companies going through digital transformation projects to remain competitive, data is seen as a key differentiator. Ensuring this data is stored, managed and analysed seamlessly, whilst complying with all the necessary regulations is a major focus and should mean this deadline won't come as a surprise.”