The urgent need for a revamp of the laws that govern the handling of personal data was highlighted once again in a special report published in June 2015 by the European Commission. The Eurobarometer survey indicates that trust in digital is low, with more than two thirds (67 percent) of Europeans worried that they have no control over their online information, while six out of ten don't trust online businesses (63 percent).
High profile data breaches that leave customers' details exposed – such as the TalkTalk breach in November 2015, when hackers broke into systems to steal the personal and bank account data of 157,000 customers – have made individuals acutely aware of the potential risks of sharing their information. They are also more conscious of the extent to which websites, online services and social media are ‘invisibly' collecting personal data.
If the full economic and social benefits of developments such as cloud services and the Internet of Things are to be realised, consumers' perceptions that doing business digitally is inherently risky needs to change.
The new European General Data Protection Regulation (GDPR) will replace the current 1995 EU Data Protection Directive intending to plug the trust gap, by modernising legislation that safeguards personal data within the EU. It will make protection levels more stringent and consistent across member states, superseding fragmented national laws and standardising the way regulations are implemented, audited and enforced. The GDPR is causing great concern for businesses, with 50 percent of global companies saying they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate.
It is important for organisations to start preparing now – determining the risks to be managed, understanding what data they have, what needs to be protected and starting to secure it, putting resources and policies in place before it becomes law in 2018. The full details of the regulation are still emerging, but currently there are four main areas of reform that will have a substantial impact on businesses that create or handle the personal data of EU citizens.
1) 'Personal data': increasing in scope
Under the new regulations, the definition of ‘personal data' is expected to broaden, bringing additional in-scope information into the regulated perimeter.
Before adequate governance and security controls can be put in place, organisations first need to identify what data they have, where it is stored and how it is being used. Data classification is critical in achieving a greater knowledge of the data that you hold, and the first step to a truly data-centric approach to protecting personal information.
2) You've been breached: Disclosure and reporting
Organisations will be required to notify their national data protection authority and affected individuals within 72 hours of a breach occurring. The breaches that must be reported are those which are “likely to result in a high risk for the rights and freedoms of individuals”, including identity theft or fraud, and financial loss – risks present in most data breaches.
Currently, many breaches are not identified after the event: according to the Ponemon Cost of Data Breach Study (2015), malicious attacks take an average of 256 days to identify, while data breaches caused by human error go unnoticed for an average of 158 days. Organisations need greater visibility of the data they gather and hold, and how it is accessed and used so they can quickly discover and retrieve sensitive personal information.
This means setting up processes and systems for communicating with customers and remediating problems. If data has been classified then this makes the discovery of affected data much quicker and easier, and furthermore monitoring and reporting tools may enable the organisation to identify potential risky user behaviour before it occurs – mitigating the insider threat.
3) The 'Right to be forgotten' is back
If there are no legitimate grounds for retaining an individual's data it must be deleted. This means it must be accurately classified, indexed and stored, making it easy to retrieve so that its status can be updated.
4) A bigger stick: Greater penalties and fines
The current maximum fine for misuse or mishandling of personal data is half a million Euros. This is rarely levied, and has not proved enough of a ‘stick' to motivate organisations to comply with the regulations; representing a drop in the ocean for most major multinationals, which has made cutting corners on compliance to save time or money a risk worth taking.
Under the GDPR, businesses can be fined up to four percent of annual global turnover, or €100 million (whichever is higher), for violating the new regulations. This a significant change that will escalate data protection to a regular boardroom issue. Cost of non-compliance will also be assessed in terms of reputation loss and damage to the brand, while the regular and periodic data protection audits recommended in the regulations will make it more likely that incidences of non-compliance are picked up.
While this may sound like a significant burden to businesses, organisations maintaining PCI DSS compliance have already invested in security technologies and solutions such as modern encryption, audit and logging, rights management etc, which can be leveraged and extended once the ‘personal data' to be protected has been correctly identified.
Taking the initiative now to review the way your company collects, classifies, stores and shares data in a controlled and secure way with these new data protection regulations in mind, will be enable you to ensure ongoing compliance and avoid devastating fines and reputational damage in the future.
Contributed by James Walker, UK MD, JAW Consulting UK