Analysis: The countdown to the implementation of General Data Protection Regulation has begun, and nobody seems to be ready.
The two-year countdown to the General Data Protection Regulation (GDPR) is underway, and the consensus seems to be that most companies haven’t got a clue how they’re going to approach it.
Research from Egress found that 87 percent of CIOs believe they would be exposed if the regulations came into force today, while research by YouGov for Netskope found that 80 percent of IT professionals in medium and large organisation were not confident of ensuring compliance by 25 May 2018.
It might seem a long time away, but Guy Bunker, SVP of Products at Clearswift puts this two year period in perspective.
"It’s 2 years away, but 2 years with any IT project is actually very short," he says. "Most businesses where they are running April to April will have already spent their budget for this year. So you are looking at preparing to spend budget on it next year."
The new EU legislation will replace the 1995 Data Protection Directive, but goes a lot further in its scope.
The big headline-grabber has been the draconian penalty that is attached to non-compliance: the maximum fine for a single breach is set at the greater of €20 million or 4 percent of annual global revenue.
In many ways, the size of the fine seems almost targeted to scare people into taking action.
"In the past, the barrier to doing something about this was cost; it was peanuts compared to their revenue," says Chris Talbott, senior product manager at Veritas.
"For example, US retailer Target having a major data breach was only $100 mn when all was said and done."
But before panicking too much, Bunker says: "those who go on about the fine haven’t read the regulations, because the goal is not to be fined."
What are the most salient points of the regulation? The first thing to know is whether it applies to you. It is not just for EU businesses, but companies that interact with the EU.
This includes non-EU businesses that target goods or services at EU residents or monitor the behaviour of EU residents.
If you are in this category, then it’s crucial to work out where you are not compliant.
One of the big changes will be the 72-hour breach notification requirement; GDPR will require businesses to report data breaches to the relevant Data Protection Authority within 72 hours of detection.
"For most businesses, radical changes to internal reporting structures will be needed in order to be able to meet this deadline," says law firm White & Case.
Bharat Mistry, cyber security consultant at Trend Micro says that a "breach notification plan" will be needed and should involve not just IT, but also the HR, PR, marketing and leadership teams.
He recommends running fire drills to practise this.
Also of concern to many companies will be the ability of individuals to request information about how their data is being used or shared. This has existed before, but now as Jon Geater, CTO, Thales e-Security the information will have to be made available ‘where possible’ and ‘without undue delay’.
This is not just going to require planning for policy, but also technology.
"If you’re an organisation, the question is whether you have the technological ability to actually find all the information about an individual," says Talbott of Veritas.
Yves Le Roux, Technology Strategist for CA Technologies and Co-chair of the (ISC)2 EMEA Advisory Council, who leads its Policy Group, a volunteer- led effort currently assessing readiness for GDPR, says that companies need to design a privacy management strategy.
"Before developing a strategy, a company must perform a thorough ‘privacy audit’ to examine the adequacy of their existing privacy programme, where the flaws are, and the most cost-effective means of ensuring compliance," he says. "Every organisation has different risks and budget constraints and the strategy should be designed accordingly."
This process means not simply finding what data is held, but where it is held. Data used by your company could be held by third parties and suppliers, or in cloud applications, which shows the importance of achieving visibility.
Once you have that, securing the data is the obvious next step.
"Encryption and access control are common control standards, but managing encrypted data across multiple business processes is a hugely difficult task," says Neil Thacker, Deputy CISO, Forcepoint.
He says this means managing data flows, monitoring for data leakage and protecting against data theft from external agents.
The organisation should create a ‘privacy-protection environment’, which should be continuously reviewed and updated to keep up with developments such as new technology and personnel changes.
Other companies that will now have additional obligations are companies that act as controllers, meaning companies that process personal data.
Under Article 35, public authorities and companies which undertake "regular and systematic monitoring of data subjects on a large scale" or where large-scale processing of specific data is undertaken will have to appoint a data protection officer (DPO).
If this sounds like a grudging box-ticking exercise, it doesn’t need to be. Guy Bunker suggests that the process of achieving compliance with GDPR should be viewed as an opportunity for businesses.
He cites an oil company that found that when they were going through their PCI DSS audit, there were nearly 20 different places in the organisation where credit cards were stored.
"They have consolidated those applications now, so that if you want to store a credit card number you now tap into one of the four systems that do it rather than create your own," says Bunker.
"In doing this audit of what you’ve got and how you use it you might find that you can save money by consolidation."