There has been loads written and talked about surrounding General Data Protection Regulation (GDPR). The new regulation is arguably the most significant change in global privacy law in twenty-two years and businesses must shore up their cybersecurity processes and procedures to avoid facing financial penalties.
GDPR is due to be implemented on May 25th 2018 and the regulation places important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located. Although many companies have already adopted privacy processes and procedures consistent with the directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force. With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
What are the consequences of not complying to GDPR?
The UK Government and Information Commissioners Office (ICO) have declared that no new legislation will be introduced to cover the growing threat of cybercrime as this is a business owner responsibility to address. What they will enforce though is legislation about the use of data. If data is protected then at least any cyber-attacks will mean that personal data is (or should be) protected and safe.
What are the GDPR fines or punishment?
The penalties for non-compliance are eye watering. Infringement on certain articles of GDPR carry fines of up to €20M or up to 4 per cent of total global revenue of the preceding year, whichever is greater. Other fines carry penalties up to €10M or up to 2 per cent of total global revenue of the preceding year, whichever is greater. These punishments show it is important that compliance is met and GDPR is not ignored.
For organisations it is not just about fines or punishments. The risk of not meeting GDPR requirement can be cost prohibitive in other ways. According to recent research cyber-attacks can cost businesses anywhere from $14.00 to $2.35million per incident and data breaches and attacks are growing all the time. Therefore, the cost of an attack on an organisation can have significant impact. Lastly there is the cost of brand and reputational damage post attack. Interestingly according to recent research by information management company Veritas, only 31% of companies surveyed are worried about reputation damage due to poor data policies, but it can destroy a business and the brand post attack.
Why has the new GDPR legislation been introduced?
The answer is simple; the threat of attacks on sensitive data is very real. And, not only are the threats growing, but the magnitude of these attacks is also increasing. This is down to aspects such as the broad adoption of IoT, which is seen to be easily compromised, coupled with poorly protected data, which is still often held in legacy systems without adequate security.
This is why GDPR will be strictly enforced in order to protect data. GDPR not only strengthens the rights that individuals have to control their own data, in particular it protects the right to data portability. This means an individual has the right to transport his/her personal data from one organisation to the next. Every organisation that processes personal data will need to make sure that this data is properly safeguarded against loss, theft, unauthorised access, etc. In fact, security of personal data is so important that GDPR includes a personal data breach notification rule. This says that when a breach of security occurs it should be reported within 72 hours, and if it is likely to result in a high privacy risk for individuals, these individuals must be informed.
To add to this data protection by design and by default are both included in the GDPR. This means two things. First, it will be mandatory when designing a new system, process, service, etc to make sure that data protection considerations are taken into account. Moreover, organisations need to be able to prove that they have done so. Second, the new system, process, service, etc must include choices for the individual on how much personal data they wish to share.
Without a doubt, the protection of customer and partner data is essential for the survival and success of every organisation. However, all too often security, especially encryption, has been regarded as far too complex and expensive for most small and medium-sized enterprises to consider. But with GDPR comes a need for companies of whatever size to recognise the value of their data and be aware of the ever-growing legal framework they need to meet, as well as the resulting penalties for non-compliance. Now that the final text of GDPR is known the next steps for any organisation is to identify how this new legislation will impact them. The journey to GDPR compliance no matter how arduous and long is a path that all organisations must undertake, however reluctant they may be.
Alastair Hartrup, Global CEO of Network Critical