Moving towards compliance: GDPR issues and challenges
In this podcast, Mike McCandless, VP of Sales and Marketing for Apricorn, and Jon Fielding, Managing Director for Apricorn EMEA, discuss the European Union General Data Protection Regulation, otherwise known as GDPR, and look at some of the issues and challenges organizations will likely face whilst moving towards compliance.
If you’re at Infosecurity Europe 2017 in London this week, you can visit Apricorn at stand T-74.
Here’s a transcript of the podcast for your convenience.
Mike: Hello and welcome! My name is Mike McCandless, I’m the Vice President of Sales and Marketing for Apricorn. Apricorn provides the broadest family of secure USB storage devices. Our family is software-free, hardware-encrypted devices have become the standard data security in the areas of finance, healthcare, education and government. With our US headquarters in California and our EMEA office in UK, Apricorn products have become the standard for a myriad of data security strategies worldwide. Founded in 1983, numerous award-winning products have been developed underneath Apricorn brand, as well as for a number of leading computer manufacturers on an OEM-basis.
Jon: Hello from myself! My name is Jon Fielding, I’m the Managing Director for Apricorn EMEA. And in today’s podcast we’re going to be looking at the European Union General Data Protection Regulation, otherwise known as GDPR, and discuss some of the issues and challenges the organizations will likely face whilst moving towards compliance.
Mike: So Jon, with less than a year to do before GDPR takes effect, you must be having a lot of conversations with clients on what to expect and how to prepare for GDPR. How do you feel our customers think GDPR is going to impact their business?
Jon: Well, yeah, as you’d expect I’m having a number of conversations across the verticals and organizations side. But maybe we should take a bit of time to set the background as to what GDPR is and where it’s come from. So GDPR in essence is a set of articles, 99 in total, written by the European Union, which will harmonize the European data privacy laws and data protection laws across Europe. The compliance date, or the date that the companies need to be complying is May 25th, 2018. What I am finding is a lot of companies don’t realize that’s the date they need to be compliant rather than the date they need to start building compliance. So, the GDPR puts a lot more power in the hands of the European citizen. And the real aim of GDPR is to protect that individual’s data. So that a lot of companies can prove that they’re taken responsible and pragmatic approach in protecting that data, and only collecting data they should be for those individuals. And the individuals themselves have various rights in terms of being completely deleted from systems or requesting their data to be provided for them in a format they can take elsewhere. And I think the most alarming feature for companies that aren’t aware of GDPR at the moment is the fact that the fining system is much larger than would normally expected in the current data protection acts.
Mike: Well, needless to say that GDPR is going to bring a number of challenges to companies, and companies not in compliance by May 2018 to face brutal fines up to 4% of their annual revenue. Do you think senior executives of large companies are all aware of the forthcoming GDPR regulation?
Jon: Well, in all honesty I would say no. You know, we conducted our own survey and we found that of the active directors that we surveyed, only 25% were aware of GDPR and what it meant, and of those, only 17% have their plan to make themselves compliant with the legislation. So, there are a lot of companies that might have heard of GDPR, might have heard of the date of May 25th 2018 by which they need to be compliant, but that’s the important thing. They need to be compliant by that date, rather than start to become compliant at that date.
Mike: Well, and it’s not just the European companies that need to take note either. All organizations within the European Union or outside of it need to ensure the personal data of the European citizens is secured.
Jon: Well that’s absolutely right. As I said before, one of the main tenants of GDPR is to make sure that EU citizen data is protected, irrespective of where it’s held. So if there’s an American company or a Chinese company or a Singaporean company processing EU citizen data, then they will be held to account against the legislation.
Mike: The GDPR provides an opportunity for companies to retool and transform their data and cybersecurity approach. Not surprisingly, our research also found that mobile working is a major cause of data breaches. And so this is a scenario that we recommend companies to look at in line with GDPR planning. We found really around a third of organizations we spoke to have either experienced either a data loss or breach as a result of mobile working. A significant portion, a size 44% of the companies we spoke with expected mobile workers will expose the organization to the risk of a data breach.
Jon: So, mobile workers have been around for many years. So what risk do you think that presents?
Mike: Well, once again, our research shows that mobile working is a major problem and companies are still uncertain on how to enforce adequate security policies. Mobile working extends the boundary of the corporate network compounding the problem, and 53% of our companies surveyed said that managing of all the technologies and employees needs for mobile working is just to complex, while 35% complained that the technology for secure mobile working is just too expensive.
Jon: Okay, so I guess we both agree that it’s important to have a security strategy in place that covers removable media like USB drives. What would you say the risks would be if a company didn’t have that in place?
Mike: Removable devices such as compact flash pose a huge risk to business. Not only because they’re easy to lose or steal, but also in terms of the malware they can introduce into the networks. So roughly a quarter, or 23% of the surveyed organizations admit they have no way of enforcing relevant security strategies they have in place. Which is almost as risky as having no policy whatsoever.
Jon: Okay, so with that in mind, what would you suggest as the best way of addressing this?
Mike: Well, encryption is recognized as the most viable option for organizations to protect valuable data outside the corporate network. However, only one third of the IT directors we surveyed said they enforce hardware or software encryption of their data. And 12% did not have any policy at all in regards of encryption of their data taken away from the office. So, while many organizations recognize the security problems associated with mobile working, sometimes it’s down to a lack in adequate training or not providing the right tools. So over half, actually 57% of the respondents agreed that while the mobile workers are willing to comply with the security measures, they often don’t have the necessary skills or technology to keep the data safe.
Jon: So now we have GDPR looming on the horizon with less than 12 months to go before companies need to be compliant. And so many European organizations will be looking to solve their various challenges in reaching compliance against the regulations. As you said before, GDPR has a wide-ranging set of rules that cover many different aspects. But where the real pain will be felt is at the point of a breach, and this is really where Apricorn can help with its various USB devices and hard drives that provide encryption capabilities.
Of the 99 articles written for GDPR, very few actually specify a technology or a route to compliance. However, Article 32 does specifically talk about the need for encryption. Apricorn’s hardware encrypted devices that have various independent certifications where the authentication of the encryption takes place on the device, absolutely fit this part of the regulation. So I always welcome the chance to talk with anybody further about how we can help with GDPR strategy and compliance. We will be at Infosecurity Europe, being help at Olympia in London from June the 6th to June 8th. We will be on stand T74, please feel free to come by and talk to us in more detail.
Mike: Or feel free to visit our website at Apricorn.com for more information.