If you are not yet aware of the General Data Protection Regulation (GDPR), and you handle personal data in your business, then you need to get up to speed pretty quickly. The GDPR is one of the important and far reaching pieces of EU legislation in recent times. And before you Brexiteers think that the UK will be exempt once it leaves the EU, think again, because the government has just announced that the GDPR will apply to the UK. This is necessary because UK businesses handling EU citizens’ data will still be in scope wherever they are located and also because the UK wants to facilitate its technology sector to be able to continue to sell into the EU in the future. Plus we will still be in Europe when it comes into force!
The GDPR shifts the goalposts for businesses because it represents a fundamental change to the risks associated with data protection and with the consequences of a data breach. The current legislation dates back 20 years, to an EU Data Protection Directive in 1995, before the widespread adoption of the internet or the need for security management services, and certainly before such companies as Google, Facebook and Twitter were created. The GDPR was agreed in May 2016 and will apply in all EU states only from 25 May 2018. But decisions need to be made now to ensure that businesses are able to comply with the Regulation by that date.
The Regulation concerns the protection of personal data or, or relating to, identified or identifiable EU citizens, including names, ID number, location data, contact data and online identity. It applies equally to data processed inside the EU or outside the EU if it relates to EU citizens. The new regulation, and indeed the existing Directive only allow transfer of data to third countries that demonstrate equivalent data protection laws, which does not currently include the US, except where the data subject has provided informed consent. An interim Safe Harbor agreement with the US was struck down by the EU Court of Justice in October 2015 and its replacement, the EU/US Privacy Shield has not yet been formally adopted.
The consequences of non-compliance with the Regulation are one of two game changing aspects to it. The maximum financial penalty for non-compliance will be 4% of annual revenue or €20 million, whichever is the higher. This is a pretty stiff level of potential fines and it is not yet known how the fines will be calculated. The other game changer is the introduction of mandatory notifications that force the disclosure of data breaches to the relevant national data protection authority and also possibly to consumers as well.
These two changes in particular will force the issue of data protection way up the risk agenda of every CEO and CIO. They will want to know as soon as a breach has taken place in order to ensure that they meet the compliance aspects of the Regulation. They will also, of course, want to take action to if possible prevent or, in any case, to limit the scale of any breach. This is where threat detection and remediation software, such as ThreatSpike, will be vital to compliance with the GDPR and mitigation of the massive risk associated with it.
The May 2018 deadline looks a long way away from here, but it really is not. To have the best chance of stopping a breach it is necessary to take remedial action now, so that vulnerabilities are identified and fixed and the insider threat is negated well ahead of the deadline. CEOs will also want to know now if a breach has already taken place, so that it is not reported later, when the new regime has come into force.
Head of Cyber Security