The General Data Protection Regulation (GDPR) is on the way, strengthening data protection for individuals inside the European Union and covering the export of personal data outside the region. The implications of these strict new rules and the punitive measures they bring mean UK organisations need to start planning now. Indeed, BBC News has described the GDPR as “the biggest shake-up of data protection laws for 20 years” with the stated aim “to give citizens back control of their personal data as well as simplifying the regulatory environment”. Four years in the making, the rules come into force in the summer of 2016, with EU member states given two years to comply. The headline change is a sharp increase in how much money regulators will be able to fine organisations that don’t comply: up to four percent of a company’s global turnover or €20 million euros (£15.9m) – whichever is the greater.
What are the potential impacts on UK businesses? What should you be doing? For a start, larger companies – with more than 250 employees – will need to employ a data protection officer. How about a sense of urgency? Well, an article in the UK’s Computer Weekly reported that while organisations may feel they have “plenty of time to get ready, the clock is ticking and it’s later than you think”. The same article quoted a study of 100 senior IT managers in UK enterprises in which 59% of respondents said the legislation “would cost their business more”.
A compelling case for change
At least three issues are converging here: increased cloud adoption, a continuously evolving threat landscape, and a far stricter regularly environment.
The GDPR requires that all privacy policies, procedures and documentation are robust and up to date, with data protection authorities able to request them at any time. Indeed, the implications for every function involved in data handling are enormous. Decisions on where you store personal data covering customers and employees, for how long, and where and how you process that data, suddenly assume even greater strategic importance. As more and more companies depend on an increasing number of cloud apps and services to support their essential activities, the Cloud Security Alliance says “From a cloud computing point of view, these changes are long overdue and will lubricate the roll-out of utility-based computing in the EU.”
This is as much about trust as it is compliance. A recent Intel survey reported that 72% of companies cited “compliance” as their biggest concern around cloud adoption, with the CTO of Intel Security EMEA commenting: “As we enter a phase of wide-scale adoption of cloud computing to support critical applications and services, the question of trust within the cloud becomes imperative…. The key to secure cloud adoption is ensuring sufficient security controls are integrated from the start so the business can maintain their trust in the cloud”. There is clearly growing awareness of the potential consequences of a data breach, underlined by the GDPR.
With the case for change compelling, our next blog will explore the GDPR a little more, and suggest how you can get started on the road to compliance.