The EU General Data Protection Regulation (GDPR) was first proposed in 2012 and aims to define more clearly and reform the existing regulation to address the technological issues and advances that have emerged since the 1995 Data Protection Directive.
The new regulations seek to make legislation more homogeneous across the EU, and the extended scope of the legislation means that worldwide organisations will have no excuses for being unprepared when it comes into effect.
The need for GDPR was recognised because of the rise in cyber attacks and data breaches, as well as growing controversy around data collection and consumer concern over how it was being used.
GDPR effectively rules out the possibility of gathering data through opt-out consent – something that many organisations have previously deployed.
‘The level of consent required for the use of data strikes a middle ground between unambiguous consent and the stronger legal definition of explicit consent,’ says Rob Coleman, CTO for UK&I at CA Technologies.
‘This means that consent must be constituted by an affirmative action, while the terms of consent must be set out in an intelligible and accessible form and must be clearly distinguishable from other matters.’
The essence of GDPR is improving individual ownership and control of data, and it aims to address the power imbalance between the data processing entities and the individuals whose data is at stake.
The new law is far reaching, applying to all domestic and foreign companies that process the data of EU residents. It creates several new rights for individuals that organisations will need to comply with.
GDPR emphasises privacy by design and brings a set of requirements focusing on the lawfulness of personal data collection, consent, purpose binding, necessity and data minimisation, transparency and openness, information security
Non-compliance with GDPR will come with major financial consequences. Companies that fail to comply could face fines of up to €20 million or 4% of annual turnover, whichever is higher.
And fines aren’t the only consequences that companies should bear in mind. ‘While a hit to the wallet always hurts, organisations should also consider the reputational damage that publicly flouting such a major regulation would cause,’ says Cigdem Sengul, senior researcher at Nominet.
‘Deliberate or not, a consumer would be most likely to read the flouting of such a regulation as a deliberate attempt to exploit consumer data. Of course, by the nature of some products and business models, these regulations may be crippling for tech companies and start-ups targeting the IoT market, and only time will tell what damage this may cause the tech economy more generally.’
In a worst-case scenario, a business attempting to ignore the requirements of GDPR could find itself put out of business.
Although the penalties for non-compliance with GDPR are potentially extraordinary, there is likely to be some accommodation for businesses that attempt to be GDPR compliant and have the documentation to prove it.
‘If your organisation does have an unauthorised disclosure incident for whatever reason,’ says Ian Trump, global cyber security strategist at SolarWinds, ‘being able to attest to the supervisory authority and saying your organisation was exercising due diligence in protecting the information, detected the breach and informed the affected parties is a way better story than simply saying “we had no idea”.
‘This is the central point of GDPR: “we had no idea” is no longer an acceptable defence.’
In a study by Experian in March, nearly half of businesses (48%) admitted that they are not ready for GDPR. Only three in ten said they plan to hire a data protection officer in the next 12 months, which is one of the requirements of GDPR for organisations of a certain size.
Further research by Delphix found that one in five UK businesses have no understanding of GDPR, while 42% have considered some aspects but not the pseudonymisation tools that the legislation recommends.
Even more worrying were the results of a survey by Crown Records Management, in which one in four IT decisions-makers said they are no longer preparing for GDPR because of Britain’s exit from the European Union. A massive 44% of those surveyed said they didn’t think the regulation would apply to UK businesses after Brexit.
The direct consequences of Brexit for UK businesses depend largely on the UK’s relationship with the EU and the European Economic Area (EEA). If the UK joins the EEA, GDPR will continue to apply in the UK and, broadly speaking, the same data protection compliance requirements will continue to apply in the UK.
If the UK does not join the EEA, GDPR will no longer apply in the UK. However, the UK will almost certainly seek an ‘adequacy decision’ from the European Commission to remove the additional legal protections that will be required to transfer personal data from the remaining EU member states. In order to obtain such a decision, the UK will need a national data protection law that provides essentially the same level of protection as GDPR.
‘For UK businesses, the key conclusion is that GDPR compliance needs to be achieved by 25 May 2018,’ says Dr Philip Trillmich, partner in the global intellectual property practice at White & Case. ‘Post-Brexit, the UK will either be subject to GDPR or is likely to have a law that is functionally very similar to GDPR. Consequently, efforts made to achieve GDPR compliance are likely to be sensible investments that will stand businesses in good stead over the long term.’
Businesses have a year to start and execute a project to work towards being compliant. For organisations that are yet to begin, now is the time to start making commitments and investments in what will be required to comply.
For the vast majority of small and medium-sized businesses, becoming GDPR compliant is not an overly daunting task, even less so for those in a regulated industry. Where the changes brought by GDPR will get sticky is in the large number of non-regulated industries, says Trump.
Large enterprises face more challenges around tracking who is using data or downloading it from cloud applications. Couple this with approaches like outsourcing of support or the compartmentalisation that can take place in larger IT teams, and IT leaders have numerous problems to overcome with little time.
‘Closer collaboration between teams across an organisation will be essential to making sure that companies are compliant by 25 May 2018,’ says Andrew Nielsen, chief trust officer at Druva. ‘However, they will have to continuously monitor for how personally identifiable information (PII) may be getting passed around the business too. It will be a moving target, rather than a final destination.’
There is no way around it: for large organisations, compliance could require vast amounts of time and resources. The good news is that everyone is in the same boat – any organisation that holds an individual’s PII, whether that person be an employee, supplier or customer, will need to get their house in order.
Organisations should begin by asking themselves what PII data they hold and where. Once they’ve established that, they can move on to deciding how they can secure this data (at rest and in flight) and how they will know if a breach occurs.
Technology exists to help put processes in place and discover and identify PII data, including mapping of data models that provide the base level of data required to build the security model around.
Organisations must also ensure that data can be encrypted in production environments, and masked and anonymised for use in development and test environments, and that access is controlled to PII data using identity management, privileged access management and strong authentication techniques. This will drastically reduce the likelihood of a breach occurring.
‘Should a breach occur, a strong crisis or incident management process using security forensics and e-surveillance technologies needs to be in place to notify the regulator and any affected individuals immediately – speed of response is vital,’ says Coleman.
‘The key to getting ready in time for most large enterprises will be to create a cross-functional programme of work containing representatives from legal, IT, HR and business units – this is not just an IT problem.’
Securing for the future
Organisations should remember that they are investing not just to comply, but also to make their business and data more secure.
Article 30 of the GDPR sets out the security requirements that businesses are expected to satisfy. It requires that businesses must implement ‘appropriate’ technical and organisational measures to secure personal data, taking account of the risk presented to individuals if the security of that data were to be breached.
In this regard, GDPR expressly says that businesses should consider implementing ‘as appropriate…the pseudonymisation and encryption of personal data’.
While the law stops short of telling businesses they must implement pseudonymisation, the express reference to it in the security provisions of the GDPR is highly significant, as regulators will take its implementation into consideration when considering compliance.
In plain sight
‘In a GDPR world, there will simply be nowhere to hide for a business that suffers a breach,’ says Iain Chidgey, general manager and vice president EMEA at Delphix. ‘The regulation punishes businesses that fail to leverage appropriate protection measures – such as data masking technologies – as a part of their overall security posture.
‘The GDPR breach notification obligations are likely to reveal a higher volume of breaches than we witness today, as well as more details about their impact. The need to notify constituents in the event of a breach will most likely push organisations to prioritise security and ensure robust systems are in place so that they do not damage customer relationships and brand reputation.’
The rapid increase in digital interaction between organisations and their customers has made a huge impact on two areas: how quickly organisations can bring out new capabilities via digital channels and how much data they can use from their customers to inform new releases.
Many consumers agree to hand over their personal data, accepting the terms and conditions without so much as reading beyond the first few lines. But this is going to change dramatically when the GDPR comes in, with the possibility of opt-out consent. The relationship between organisation and customer will experience a fundamental shift because of it.
The requirements driving the updated GDPR regulation make it clear that the trust that consumers have with organisations needs to be better supported with robust processes, technology and organisational structures for managing and securing personal and private data.
‘The regulatory approach taken by the EU is all stick and no carrot, and the penalty provisions for not fulfilling the detailed requirements are much more punitive than the currently active legislation,’ says Coleman. ‘Of course, it remains to be seen how hard organisations that fall foul of GDPR regulations will be hit as it’s open to interpretation.’
GDPR introduces a move towards privacy by design, meaning that organisations will have to build safeguards into processes, such as testing and development, from beginning to end.
Organisations will have to consider cyber security from the conception of a new service or process to ensure that privacy by design is considered throughout the life cycle of software and process development through to data management, and while ensuring compliance with the law.
GDPR will place a strain on resourcing within organisations trying to find people with the right experience and qualifications. There is already a skills gap in this area.
‘Organisations that have organically grown over time and do not have a customer-centric view may find a huge challenge in meeting the requirements of GDPR,’ says Dave Burleigh, information security consultant at Trustwave, ‘driving expensive projects to adjust processes and systems to enable the rights of the data subject to be invoked in a timely manner while maintaining the integrity and confidentiality of the data.’
The regulation will trigger wide-ranging reform for testing and development teams – especially for the still-prominent role played by production data in testing.
Consumers will also have more protection against the use of their data. GDPR will require that organisations only use data for the explicit reasons that it was given, can only keep it for as long as it’s needed and can only use it for a legitimate purpose.
‘Enterprises can’t keep or use data indefinitely,’ says Coleman. ‘Nor can it be used by an indefinite number of individuals.’