BY mark pearce, PA DIGITAL trust and cyber security EXPERT
Today’s companies hold huge amounts of personal data but few of them have a comprehensive picture of exactly where that data is held or how it is protected. In a world where supply chains are getting longer and technology is enabling more outsourcing of data storage, managing customer data safely and effectively has become an increasingly complex task.
Up until now, organisations have addressed their data protection and privacy vulnerabilities to a varying extent. However, the arrival of the new EU General Data Protection Regulation (GDPR) places a much higher importance on visibly protecting confidential information with significantly greater requirements needing to be met – and much greater penalties should an organisation experience a breach. Quite apart from the reputational impact of any breach, organisations will face fines of up to 4% of global gross turnover or €20 million, whichever is greater.
While some of the details of how the new requirements will be put into practice are still being debated and some will only be determined once they have been tested through legal challenges, it is clear that companies cannot afford to wait for certainty. They need to take action now to find out where their data is held, how secure it is and whether they are able to comply with the new requirements.
This starts by understanding the scale of the challenge. When new regulations are imposed, organisations can assume that compliance can be achieved with changes to a few administrative processes and technical upgrades. The reality is that GDPR will expose much wider challenges around the management of data which companies hold, and some of the systemic changes that will be needed will be very time consuming and resource intensive. That makes it critical that action starts now.
GDPR imposes a very wide range of new requirements on who manages data, how it is managed, and what happens if things go wrong. Of particular note (and in some cases, concern) is the application of the regulation to all organisations that hold information about EU citizens, irrespective of their location. In addition, organisations will need to explore the implications of the strengthening of individual rights such as the right to be forgotten and the need to carry out privacy impact assessments. And if things do go wrong, organisations will need to notify any breach to the regulator within 72 hours – this is a significant step up from the previous (and non-specific) expectation of a “reasonable” time for notification.
The new requirement for unambiguous consent for data usage is another area where significant changes in approach will be needed. Organisations should start work early to define their specific consent model as this will have wide-reaching ramifications on the systems and processes that they use for data capture. The consent model needs to ensure that control over their data remains with the individual, one of the main aims of the GDPR.
Another important change that companies need to be considering now is the requirement for proactive governance of third parties who process information. The growth in the use of outsourced vendors and suppliers means this will need careful focus to identify where and how information is processed, transmitted and stored, and clarity over who are the designated data controllers and data processors.
In order to respond to these changes effectively, organisations need to make a clear and honest analysis of where they are now and how ready they are to meet the new regulation. Given the complexities and lack of information about where and how data is held, this may not be straightforward. This should be followed up by a detailed GDPR gap analysis to identify specific areas of non-compliance. More detail can then be drawn out in specific privacy impact assessment. This should then allow organisations to be clear about the action they need to take which will cover governance, processes organisational structures, technical requirements.
It is clear that there is a good deal of awareness about GDPR. It is already on Board agendas but what many have not yet grasped is its full implications and the way it will expose wider weaknesses in current data management. We worked with one company that found that 65% of its third party suppliers were not meeting their security requirements, and such failures are likely to be common.
That experience underlines how GDPR will raise the stakes and means organisations need to focus on securing the support and skills they need to address its challenges. GDPR – with its new requirements and penalties – is a game-changer for data protection.