Large enterprises falling foul of data breaches seems to be alarmingly routine, all around the world. The sheer amount of media coverage surrounding events like the TalkTalk hacking scandal reflect the public concern over the security of these companies. And rightly so; the TalkTalk data breach alone put the personal information of four million customers – addresses, credit card details and account information – at risk of landing in the hands of hackers. UK consumers aren't the only ones who have taken notice, however. The EU has taken the initiative to ensure these massive data breaches don't become a frequent occurrence, and put a larger burden than ever on the organisations who hold our private data in their systems.
The European General Data Protection Regulation (GDPR) has now been officially adopted, as of April, and it is expected to have a tremendous impact all across the European Union, and beyond, when it comes into full effect in 2018. This act represents the most significant change, by far, to data protection in the EU since 1995. The GDPR comes as a replacement for the existing Data Protection Directive, which was created to regulate the progression of personal data within the EU, and is part of the EU privacy and human rights law. The GDPR will see a modern, up-to-date transformation.
So why should UK business continue to pay attention and align to the EU GDPR?
The new regulations will affect all businesses with operations within the EU, regardless of where their head office is located. This means that, post Brexit, UK-based businesses are urged to become familiar with the new regulations to be prepared for when they come into effect. The vote to leave the EU does not change this.
The most obvious change is that it will increase the penalties and fines associated with non-compliancy and for suffering data breaches. Fines for infractions are grouped into industry tiers, resulting in different fines related to the activities of the organisation. Administrative fines will be set at a minimum of two percent of global turnover, though some offenders could face fines as high as four percent. The significantly increased fines alone will bring headline grabbing figures usually seen in the US. Had last year's TalkTalk data breach occurred under the GDPR, the company's fines could have amounted to a staggering £90 million.
The regulations also include a public breach notification clause, which will require companies who fall victim to a data breach to notify regulators within 24 hours of discovery. In many cases, regulators will also be required to release the names of these companies, for the sake of public safety. This will likely result in companies facing irreparable reputational damage, decreased share values, eroded client trust, reduced employee allegiance and loss of business to competitors – adding a tremendous impact on top of those already faced by companies who have been the target of a data breach.
Although the GDPR gives some leeway to small and medium-sized enterprises (SMEs) deemed to pose a smaller risk to the privacy of citizens, even “one-man bands” will be expected to be fully compliant with the regulations. They must manage their data just as closely as their larger counterparts, avoid introducing unnecessary privacy risks and consider the risks their business practices pose to the privacy of their customers.
With the new regulations having been adopted in April, the two years allotted to companies to achieve compliance means time is already beginning to run out. Given the complexity to align, it is recommended that organisations take a much more proactive approach sooner, rather than later.to avoid facing heavy fines, or worse, being publically named as untrustworthy, businesses need to ensure they remain in control of their systems and prevent the threat of a data breach.
Contributed by Lewis Henderson, director, client engagement, Glasswall Solutions