Businesses across Europe take note: the terms of the European Union’s General Data Protection Regulation (GDPR) have been announced and spell the end of an era for companies playing fast and loose with sensitive customer data. As it stands, the current system offers little in the way of repercussions for companies that fail to guarantee the safety of personal information. It is also very difficult to keep track of the various different rulings that apply from country to country and the corresponding fines. As a result, data breaches, even those affecting millions of individuals, can potentially go unreported to the authorities.
However, this is going to change. The GDPR promises to force companies to scrutinise how they process and handle customer data, with mandatory reporting of breaches ‘that are likely to harm individuals’ and potential fines of up to 4% of global revenues. In an age where many industry experts consider the loss of data an inevitability, European CIOs should be just as worried about toeing the legal line as they are about protecting customer data; they’ll now be put under the same scrutiny as public sector organisations and liable for huge fines for any wrongdoing.
The complexity challenge
So what’s prompted this change? The current framework, as provided by the EU’s 1995 ‘Data Protection Directive’, has created a complex structure in which each EU member state enforces its own regulations on data protection. This makes it difficult for organisations to know how to manage the data under their control, and easier for them to avoid the penalties for mishandling this data.
In today’s global economy, this is particularly worrying; trade across the EU accounts for one-fifth of global exports and imports. With potential customers in any number of European countries and a web of different national regulations to navigate, the status quo that organisations face is clearly a cause for concern.
Indeed, it’s not just businesses that might welcome a change. An EU study revealed that 90 per cent of Europeans would prefer a single set of data protection laws, while 72 per cent believe they are not in control of their data. The fact that this lack of trust can threaten the digital economy underlines the need to amend the existing framework for data protection.
What is changing?
To address these issues, the EU will introduce one single standard for data protection with the GDPR. The framework is designed to make it harder for organisations to take advantage of a confusing framework in order to avoid any financial penalty. Some key areas for organisations include:
– Mandatory breach notification: Should an organisation suffer a breach that compromises data, it will have 72 hours to report it to the information commissioner responsible in that country. The process of reporting a breach will be made easier, however as organisations will now only need to report a breach (and face the financial repercussions) once, rather than in each of the nations in question. Financial penalties: Importantly, organisations that suffer ‘full breaches’ will face a financial penalty to the tune of either €100m, or four per cent of the company’s annual turnover. Any mechanisms (encryption) applied to protect information will be taken into consideration and could reduce the fine levied.
– A single set of rules: Rather than maintaining 28 different national standards for data management, the GDPR will introduce a single set of regulations covering the EU as a whole. This is intended to reduce the substantial costs involved in compliance and reporting that characterises the current framework.
– Putting the owner’s rights first: ‘Privacy by design’ is one of the EU’s mantras in this regard. Businesses that collect data must now do so explicitly, rather than assuming consent. Individuals will also be able to withdraw their own data at any point, as part of the EU’s well-publicised ‘right to be forgotten’.
Better protection for citizens and business alike
Any change in regulation naturally comes with its own set of challenges during the initial phase, but organisations should not let this cloud their vision. By compelling a breached organisation to prove that every possible measure was taken to prevent a data breach, the GDPR should ultimately encourage better data protection practices across the board. As such, it’s vital that organisations across the continent re-evaluate their existing approach to data protection in order to adapt smoothly to the new regulations, should that worst-case scenario occur.
Lastly, in order to avoid the sizeable penalties mentioned above, organisations must still ensure that their staff are aware of and prepared to guard against the risk of data breaches. According to ICO statistics, 93 per cent of data breaches are still down to human error. To avoid the reputational and financial implications, businesses have to immediately start planning and implementing the right processes, training and technologies to protect the entire lifecycle of their customers’ data so they’re prepared for when the regulation is enforced.
We can see from previous breaches that human error is the most common and, largely, the most damning cause. These are the errors that, until now, some organisations have not necessarily had to confess to. The weakest link in the chain is the workforce, and even with the best technology and will in the world, changing habits and getting user buy-in takes time – so it’s important to start now. Matching security policy with user training and education, alongside smart, user-intuitive technology is the only way forward.