In April, the General Data Protection Regulation (GDPR) was finally put into action after four years of debate and will replace the hodgepodge of data protection regulatory authorities with rules that will unify data protection laws throughout the EU. At the beginning of the summer, it seemed as if everything was in place. But then the UK made the decision to leave the EU and the UK became responsible for implementing its own data protection regulations.
In a recent Information Commissioners Office (ICO) newsletter, UK information commissioner Elizabeth Denham stated that, “The result of the EU referendum and its impact on data protection reforms will undoubtedly create uncertainty, as any period of flux does. It's clear to me though that the UK is well equipped to navigate the changes ahead successfully.”
As we get further away from the referendum vote, uncertainty remains, but it's important to prepare for the known challenges ahead. With GDPR impacting the UK, despite the Brexit vote, here is what you need to know about the regulation:
How will this impact businesses?
With the rules so wide-ranging, there is no all-encompassing framework to follow that guarantees lining up with the regulations and many UK businesses still have no idea how the changes will apply to them. However, one thing is clear, keeping up to date with changing data protection regulation is likely to be a financial burden and will require more than investment in any single technology.
Start with Risk Evaluation
As a first step to GDPR compliance, organisations should go through a risk management assessment that identifies key processes and assets, evaluates vulnerabilities and potential threats, and sets priorities moving forward. All areas of the business should be evaluated while technologies and strategies to mitigate the risks need to be identified.
Personal Information Compliance
Any business that handles personal data will have to seek permission from customers, staff and suppliers about the way their information is handled. This process will apply to both data gathered after the implementation of the regulation and – crucially – data that's already been collected. Businesses will need to prepare all existing data to be audited for compliance with the new standard, and ensure that proper consent can be proven to the ICO if needed.
Right to be forgotten
Businesses handling information about EU citizens will have to erase data “without undue delay” if a request is submitted, data was unlawfully processed or they're required to do so by law. However, with the volume and complexity of data growing, it is going to be hard for organisations to implement systems that will enable them to identify and erase this data on request.
Disclosure in Days
Under the new regulations, organisations have 72 hours to notify the Data Protection Agency (DPA) – and anyone else affected – of a data breach. What happens with most breaches however is that a site will be breached and a few months later the hackers will publish details of millions of users. To combat this, not only will organisations need technology in place that can detect the breach, but they also need crisis management processes for disclosure.
Consequences – more than just reputation
GDPR has also put penalties in place for companies that are impacted by a data breach. Organisations will be penalised up to four percent of global turnover, depending on the seriousness of the breach. However, many organisations will be hard pressed to pay such fines and those governed by GDPR need to assess their potential liability carefully.
Training & Technology – a winning combination
If all this sounds worrying, you are not alone; many IT professionals in the UK are not yet fully prepared for the GDPR. The good news is that your organisation can still get ready in time, businesses have until 2018 to become compliant. Implementing the right technology can make all the difference, encryption, managed file transfer, analytics perimeter security and so on.
However, technology is only a piece of the puzzle. Training will be essential to ensure staff understand what's expected of them, how to respond and how to handle data.
While there is currently political and economic uncertainty around Brexit and what it means for many, one thing is for sure, the need for stronger data protection regulation in the UK is essential for us to remain digitally competitive in a global data landscape. But until the dust settles and new regulations are established, businesses should prepare for GDPR compliance in the best way they can.
Contributed by Michael Hack, SVP EMEA operations, Ipswitch