EU GDPR – should you worry?
First thing first, the answer should not be anything less than a resounding “YES”. You don’t need more reasoning: There is more than 50% chance that the IT department of your organization is miserably unprepared for the proposed EU General Data Protection Regulation (GDPR). Frankly, with no noteworthy changes in data loss prevention regulation, enterprises in the European Union have been on a honeymoon since 1995. Like all good things, this phase will come to an end, and soon! There is no wishing away the imminent reality.
The planned regulation, aimed at uniting and simplifying data security encompassing 28 EU economies, will compel companies to strengthen storage and management of sensitive personal information. The developments surrounding the new law should be of more help for organizations than otherwise, especially with the emergence of super cookies and hackers taking control of accounts having significant bearing on civilian lives and national and global security. However, unlike government authorities who can shrug things off by calling potentially debilitating attack a “prank” or “cyber-vandalism,” organizations would be slapped penalties of €100 million or five percent of worldwide turnover, whichever is higher.
In an online survey among 316 UK, France and German IT managers, Ipswitchft found 56% don’t know what ‘GDPR’ stands for while 52% not is ready for the regulation even as 35% was unsure if their IT infrastructure was up to the mark to meet GDPR and 64% had no idea about the effective due date for the regulation. Another survey conducted by IDG Connect and FireEye among 260 companies from the same countries reveals that only 20% are completely prepared for the GDPR and 9% of companies have no strategy for the regulation. These numbers, combined with the business-threatening non-compliance consequences, show that there is every reason to be worry.
By making adherence mandatory – since it’s a Regulation, and not a Directive – the GDPR disallows the luxury of interpretation and implementation by individual governments. Also, as non-European companies operating within the EU would now fall within its purview, non-compliance would be punished with similar severity. Arming individuals with non-complicated compensation claim procedures and making explicit consent mandatory for data collection, the regulation makes it compulsory for companies to revisit their data security practices and policies. And worrisome it is indeed that bulk of the EU enterprises would have to take a fresh guard.
During update of the legislation during 2011 and 2012, it was anticipated to come in to effect by end 2014 or beginning of this year. However, differences between the European Parliament and the member states are likely to push the enforcement beyond 2015. German Green MEP and European Parliament’s rapporteur on the GDPR Jan Philipp Albrecht said parliament and council are “heading in two different directions” and reaching “a compromise before the end of the year” is unlikely. The UK, France and Germany are holding up the reforms, while the delay in acceptance of the new rules is viewed as “bad for democracy” as it was leaving European citizens exposed to snooping from foreign and European security services and companies.
As companies falling within the purview, despite deriding the delay in public, the dragging on of the regulation is tempting to be secretly happy about. However, mature organizations would take advantage by setting things right in the meanwhile and get prepared to gain competitive advantage by turning compliance in to a business broadening exercise. Embracing appropriate data management practices could significantly prevent post-breach reputational damage and increase profitability. By 2020, the value of European citizens’ personal data could grow to nearly €1 trillion annually. Therefore, “Strengthening Europe’s high standards of data protection is a business opportunity” says a EU press release.
Startups should leverage the opportunity afforded by new digital technologies and should set out to sustain business continuity after addressing their information security posture as quickly as possible. Organizations with a high data security management capability should initiate an objective assessment of their policies and procedures with a time frame of about six months, and should use the next six months to remedy the flaws. Done diligently, one year could just be enough, and preparation to meet GDPR could actually end up being an enabler of growth.
Risk Management Studio is a risk management toolkit combining information security and technology risk management with business continuity planning for one easy to use solution. RM Studio is a turnkey deployment design that will immediately streamline the operational risk management for the implementation and maintenance of an effective and efficient ISMS, as well as meet the compliance requirements outlined in management standards such as ISO/IEC 27001:2013 and PCIDSS 3.0.