Confusion reigns around data protection requirements

Confusion reigns among UK businesses around data protection requirements, according to Delphix. From June 2018, any business that offers goods and services to the EU or monitors the behaviour of EU citizens will be subject to the General Data Protection Regulation (GDPR). However, 21 per cent of UK business have no understanding of the impending GDPR being introduced.

A further 42 per cent in the UK have looked into some aspects of the GDPR but not into the psuedonymisation tools that the legislation recommends. Approximately, one in five of those that have studied the psuedonymisation requirements in the GDPR admit that they are having trouble understanding it.

GDPR confusion

“Following the results of the EU referendum, there is confusion about whether the GDPR is still compliant. It’s important to remember the UK’s exit from the EU won’t happen overnight. In the immediate future, the UK will be subject to the same data protection regime as the rest of the EU. In the long-term the UK will still need to prove adequacy and adopt similar data protection standards to continue trading securely within Europe. As a result, organisations need to focus on getting their GDPR preparations underway,” explained Iain Chidgey, VP International at Delphix.

Pseudonymisation

“The GDPR defines pseudonymisation as the process of ensuring data is held in a format that does not directly identify a specific individual without the use of additional information. To address the challenges of a digital age and limit the risk to individuals that have their data breached, the GDPR incentivises organisations to pseudonymise their data at several different points.”

France currently has the best understanding of psuedonymisation in the GDPR with 38 per cent of respondents claiming they fully understand psuedonymisation requirements compared to 21 per cent in Germany. However, confusion still reigns in Germany with 40 per cent revealing that they have studied psuedonymisation requirements in the GDPR but are also having trouble understanding it.

The benefits of data masking

“When it comes to protecting personal information, data masking and hashing represent the de facto standard for achieving pseudonymisation,” continued Iain Chidgey. “Take the unprotected personal information that is often freely available in the non-production environments that are used for software development, testing, training, reporting and analytics. By replacing this sensitive data with fictitious yet realistic data, businesses can neutralise data risk while preserving its value. Data masking irreversibly transforms sensitive data to eliminate risk and allows organisations to demonstrate compliance with the pseudonymisation requirements in the GDPR.”

Currently, just a quarter of data in the UK and Germany is masked, compared to a third in France. Respondents in the UK claimed that the biggest challenges to data masking is that data is sprawled throughout the organisation with little central control (32 per cent) and it takes too long and delays projects (42 per cent). A further 26 per cent in France and Germany also claimed that data masking tools are prohibitively expensive. As a result of the new legislation, nearly half of data in the UK and Germany will be masked by 2018 (48 per cent and 47 per cent respectively). In France, this figure will be even higher, rising to 60 per cent.

Improving the availability of secure data

On a scale of one to five, one being very important and five not being very important, 67 per cent of businesses in the UK ranked the reduced likelihood of fines for non-compliance as one of the biggest benefits of pseudonymisation. A further 64 per cent claim it will reduce the risk to their brand in the event of data breach with 57 per cent believing that it will enable teams to identify, audit and report on data.

However, as organisations secure data through pseudonymisation, it will create opportunities for the business, improving the availability of secure data that can be used to accelerate IT initiatives and support innovation. Reflecting this, the biggest benefits of pseydonymisation in France and Germany are expected to be accelerating IT and business processes that depend on access to secure data (57 per cent and 48 per cent respectively) and reducing the risk to the organisation’s brand in the case of a data breach (57 per cent and 49 per cent respectively). A further 54 per cent in France and 44 per cent in Germany also claimed that it would reduce the amount of time and money invested in data protection initiatives.

“When it comes to data protection, we can be certain that regulation both inside and outside of the UK will continue to get tighter and the fines will continue to get bigger. For many organisations, the GDPR will not only force them to ensure compliance and reduce the risk of a data breach, but it will also help to usher in a new wave of IT innovation,” stated Iain Chidgey. “As organisations look at how they store, manage and secure data as part of compliance demands there is also an opportunity to think about how data can be better used. Embracing new technologies, including those that combine data virtualisation with data masking, ensures that organisations can pseudonymise data once and guarantee that all subsequent copies have the same protective policies applied. This will future proof the business from costly data breaches and ensure compliance while improving agility and time-to-market.

Responsibility for data protection

The survey also revealed that responsibility for data protection will sit firmly within the C-suite, but few organisations have appointed a chief data officer or a chief privacy officer. In the UK, 52 per cent listed the CISO or head of IT security as responsible. A further 18 per cent cited the chief data officer or data protection officer followed by the CEO or CIO (17 per cent).

Over a third (35 per cent) of French respondents said that responsibility for data protection primarily sits a chief data protection officer, 25 per cent named the CISO and head of IT security and 23 per cent named the CEO or CIO. In Germany, nearly half (44 per cent) said that the CISO or head of IT security was responsible for data protection, followed by the CEO or CIO (30 per cent) and the chief data officer or data protection officer (18 per cent).

The lack of consistency regarding who is responsible for data highlights the need for organisations to take the appropriate steps to regain control over data governance, by introducing tools that drive standardisation and privacy by design.