As of today, businesses have just two years to become compliant to the EU General Data Protection Regulation (GDPR) or risk major fines. Businesses will need to take adequate measures to ensure the security of personal data, actively demonstrating that they comply with the GDPR and implement “privacy by design”.
Here are some of the comments Help Net Security received.
Jason Hart, CTO Data Protection at Gemalto
Calling for heightened encryption standards, frequent security testing, data breach notification requirements and fines for security failures, the new EU Data Protection Regulation will force businesses to take a closer look at their data security. Currently, UK businesses do not have to report when they have been breached and, as such, security is not high on the agenda. But, while the new law is now two years away from being fully implemented and enforced, boardrooms should be looking to incorporate the regulation’s important changes into their business strategy now. Any issues around the time or cost it takes to implement security protection should be put to bed.
Installing technologies, such as encryption and two-factor authentication, has never been easier, and is becoming the standard expected by businesses and consumers.
Regardless of whether the UK votes to leave the EU in June, British companies will still need to observe these regulations when dealing with companies based in EU countries. The next two years will pass quickly and, if these protocols are in place sooner, companies are more likely to avoid being caught out and becoming another high-profile victim dominating the news for the wrong reasons.
Deema Freij, Global Privacy Officer, Intralinks
Businesses operating in Europe now have two years in which to examine and fundamentally change the way they store and share data or risk contravening the new regulations. According to research we carried out with Ovum recently, two thirds of global companies will review their business strategies in Europe in light of the GDPR, and more than half of businesses (52%) expect to be fined due to breaches of regulations.
The upcoming referendum on EU membership offers an additional twist. Should the country vote for Brexit, it’s worth considering how a UK government disconnected from the EU would re-evaluate its data protection law without the GDPR or any other European directive to guide it.
If the UK were to leave the EU, it would be some time before global and UK companies would know what to do around the issue of data transfer. Any practical guidance would be unlikely to arrive immediately and, during that time, many companies could be unknowingly operating against the law, leaving them with a number of critical legal issues, and increasing the risk of data breaches.
Dave Allen, SVP & General Counsel, Dyn
As the EU General Data Protection Regulation (GDPR) comes into effect, businesses will need to take a hard look at their current methods of sharing and storing data. While some Internet companies have begun to address new challenges at the fixed locations where data is stored – this alone will not necessarily be enough to ensure compliance.
Those companies focusing solely on data residency may well fall victim to a false sense of confidence that sufficient steps have been taken to address these myriad regulations outlined in the GDPR. As the GDPR will hold businesses accountable for their data practices, businesses must recognise that the actual paths data travels are also a key factor to consider. In many ways, the constraints which come with the cross-border routing of data across several sovereign states mean these paths pose a more complex problem to solve.
Although no silver bullet exists for compliance with the emerging regulations which govern data flows, businesses which rely on the global Internet to serve their customers should be seriously considering visibility into routing paths along both the open Internet and private networks. As we enter an era of emerging geographic restrictions, businesses with access to traffic patterns in real time, in addition to geo-location information, will find themselves in a much stronger position to tackle the challenges posed by the GDPR.
Jon Geater, CTO, Thales e-Security
The GDPR will place an even greater onus on organisations to safeguard the personal data they hold from attacks. Companies will now have an even greater obligation to protect the personal information entrusted to them, no matter how it’s processed. The new rules also make clear another important factor that we should already have known: that you can outsource your risk, but you can’t outsource your responsibility. If organisations use a third party provider to store and manage data – such as a cloud provider, for example – they are still responsible its protection and must demonstrate exactly how the data is protected in the remote system. Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.
In addition, organisations will now have to provide citizens with online access to any their own personal data they store. While the Data Protection Act traditionally allowed anyone to request access to this data, with GDPR in effect organisations must make this available for download ‘where possible’ and ‘without undue delay’. This is a very significant change and securing this access will represent a significant challenge to many organisations – especially while still complying with the new tighter rules – and will require robust cybersecurity technology across the board.
Kate Lewis, Head of Data Strategy at GBG
To date, organisations processing personal data of EU residents have had to deal with a patchwork of the 28 different national data protection laws. The GDPR, however, will bring much needed clarity to the data market. Individuals need to be clearly informed around how their data will be used, and this is especially true in today’s threat landscape. Every week we are faced with yet another news story about a high profile company experiencing a data breach in which sensitive and valuable customer information has been leaked onto the internet. Nowadays, businesses need to be using the data available to them intelligently to help protect their customers.
This protection of individuals is at the heart of the EU GDPR, with a number of principles focused on the processing and maintenance of personal data stored within organisations. Of course, complying with these new regulations will not be without its challenges. Whilst for some companies it will be a change in mind-set from seeing compliance as a tick box requirement, others will need to take stock of all the customer data held within the business and decide which data to keep or get rid of. Businesses that take action now will find themselves in a much more advantageous position come 2018. Two years may seem like a long time, but it will pass us by faster than we know.
David Mount, Director, Security Solutions Consulting EMEA, Micro Focus
The GDPR, which becomes law today, is set to have an enormous impact on organisations operating in the EU. Companies now have two years to comply with the legislation so it will be interesting to see where they go from here. What’s clear is that they need to take action now to ensure they understand the data they hold and how they use it. Businesses should limit access to data to only those who need it and ensure good data hygiene by keeping authentication practices up to date. Historic data could pose an unnecessary risk, so it may also be worth deleting this to lower the potential impact of any security breaches.
The next two years will see some technical and judicial challenges for companies in the EU, so it’s important that they start to educate themselves now about the steps they should take to ensure compliance. For the consumer, now accustomed to hearing about breaches in the news on a daily basis, the impact of the measure remains to be seen. We’ll start to see the consumer perception of data protection and privacy develop over the next two years, and it will soon become clear whether or not the GDPR has the desired effect in Europe.