The countdown to the EU Data Protection Regulation
The scope of the changes under the proposed shift to a single EU Data Protection Regulation, means that organisations should be doing the groundwork now to ensure they’re not playing catch-up with compliance when the Regulation comes into force. The new Regulation is designed to improve the protection and privacy of Personally Identifiable Information (PII) for every European citizen and will mean that the onus is firmly on businesses handling this information when it comes to data controls: from the location of sensitive data across the network, to governing access, storage and security.
Full application of the impending EU DPR is not expected until 2017 and there is still some debate around the details of the impending changes. However the prospect of hefty fines for data breaches – up to 2% of a company’s global annual turnover – and mandatory data breach notification are now providing added impetus for organisations to get their houses in order when it comes to the processes and technology governing the way that data is stored and managed.
More details will emerge as the process known as “trilogue” is underway; these are the negotiations between the European Commission, the European Parliament and the EU Council of Ministers (Council) over the Regulation’s final form. It’s important to stay informed on this progress, however organisations should not wait until these details are finalised before taking steps to prepare for the move to a single regulation.
As with any significant reforms to Regulation, planning well in advance of the changes will help to ensure that organisations are not only are equipped to meet the compliance challenges, but can also reassure their boards, stakeholders and customers that they have taken all reasonable measures to shore-up security practices across their networks. Here we outline key steps that organisations should take now to get a firm handle on their data management processes in the countdown to compliance.
Location, location, location
The first step may appear to be an obvious measure, but it is one of the most important – and often overlooked – aspects of data control. The fundamental first step is to know where your sensitive data is located.
This is not as straightforward as it sounds, thanks to the results of ‘data sprawl’ – a challenge that is symptomatic of our fast-changing, hybrid IT environments. There is more data held, across more data locations, and on more endpoint devices than ever before, from the multiplicity of personal devices, laptops, iPads and phones to USBs, virtual and cloud services such as Dropbox and Evernote. If we add to this the host of digital information that can be shared by chat, email and social media, the challenge of tracking data is further compounded. As new devices and systems are added, this challenge grows.
Taking a thorough audit of both internal and external IT services is a vital first step. Take measures to introduce processes for any gaps between audited devices and those that are unaccounted for, including processes for when staff leave or move location. From here, identify where any ‘unsecured’ data is being held and conduct regular sweeps across the network to get the full picture of PII data locations. The last thing you want to discover is sensitive credit card or social security information has made its way onto a laptop that you can’t account for.
A question of access
Closely associated with getting a handle on data sprawl, is understanding the access rights to sensitive data within your organisation. The exponential growth of data within organisations and changes to access rights can leave sensitive data unprotected, posing a considerable security risk to the organisation. Are there are departments or individuals – contractors or temporary staff – with permissions that have not been withdrawn or privileges that should be re-defined? The complexity of moves, adds and changes within an organisation can mean it is a significant challenge to have an overview of access and administration rights.
It’s therefore essential – and a fundamental part of good security practice – to implement processes and technology for managing access rights and to ensure that these are regularly audited to close any security gaps.
Data storage and jurisdiction
Managing data will come with a significant legal responsibility and each organisation is responsible for ensuring that it is stored and managed within the requirements of the EU DPR. This means assessing the legal risks of data storage and back-up, for anyone storing EU data, this means both EU and non-EU geographies.
This is because the movement of data belonging to EU citizens beyond the EU will also be impacted.
When the regulations come in to force, companies that provide cloud services within the EU and rely on data centres in the US will be contractually obliged to comply in accordance with the proposed changes. This presents major issues for companies such as Apple, Facebook, Google, Microsoft and Amazon. Each of these organisations operates data centres in Europe, and each is looking at fundamentally restructuring their data storage architecture and maybe even their corporate structures as a result of the impending Regulation.
Manage the security risks and map the response
Now that you have a profile of where the most significant risks are – the access rights of highly privileged users and the location of highly sensitive data – you can start to put together a crisis management plan based on the risk profile for each location.
Despite the impending changes to the EUDPR, incident response (IR) planning remains an area which is still overlooked by a sizeable number of organizations. In a study by Pierre Audoin Consultants with EU firms, while 86 percent of respondents feel they are prepared for a security breach, almost 40 percent of them do not even have an IR plan in place. And just 30 per cent of those with IR plans test and update them regularly. It suggests that whilst many organisations may think that they have robust security policies in place or are covered by an external IR services contract, they are not well drilled at responding to security incidents when they occur.
Whether ypu are using internal or out-sourced IR personnel, establishing an incident response plan is the first step, but these must be tested, and re-assessed regularly, based on the breach type, and its scope. When was the last time that these procedures were tested? Do employees from all departments know what to do just as they would when the fire alarm goes off?
Data protection policies
The countdown to the EU DPR also provides an opportunity to re-assess your internal data protection policies. Do you have clear policies established and enforced, which meet compliance requirements, and which ensure that everyone associated with data protection understands their rights and responsibilities?
Are the policies reviewed and up to date, have they been communicated to everyone that is involve with data collection, storage and security or has training been provided to close any gaps? This will be different for every business, so it needs to work in the context of each organisation.
The road to compliance involves significant preparation, however, taking steps to address these key areas now, means that when the new regulations is fully adopted, organisations are prepared, have defensible and clearly defined policies and processes for data protection and can minimise the impact of any breaches, should they occur.