The EU General Data Protection Regulation was adopted in April 2016 and will, after two-years of transition, be applied starting May 2018. As we head fast into 2017, it would be easy to start thinking that there is still over a year left before your company must be compliant, but how much have you done to get ready in the last eight months? Probably in all reality, not as much as you would like.
It is easy to see why that would be the case, not only is the transition itself complicated, requiring a root and branch re-assessment of company data processes, security and storage, but IT teams also have day to day challenges to deal with.
In the UK, the Brexit vote on June 23rd placed a large question mark over many companies as to whether they would need to worry about EU GDPR at all, once Article 50 is invoked (by March 2017, according to the UK Government). This of course is somewhat of a misnomer because there are already strict rules in place through the UK Information Commissioner’s Office (ICO). Losing momentum on EU GDPR is not an option. It will apply to UK companies from 2018 that are ‘controllers’ or ‘processors’ of European personal data, regardless of the UK decision to leave the European Union. There are stringent rules on the management of personal data, and hefty fines for failures that lead to a breach, accidental or otherwise. Personal data will include identifiers such as an account numbers as well some less well known identifiers such as IP addresses.
There is not just a lot to do with respect to technology and processes in the office. Recent research conducted by WinMagic in the UK looked at the data habits of office workers, finding that only 18% said their employer always encrypted the files accessed through personal devices or stored on personal online accounts that they use for work. Working on data remotely helps employees be flexible and productive, however, one of the most common ways for data breaches to occur is through the loss of a device. An unprotected device, with unencrypted corporate data may include credit card, medical, or other personal customer data, as well sensitive corporate data and systems, open to use by unauthorised individuals. Such losses and limited protection, can lead to identity fraud and a company failing to meet the standards expected by the ICO and EU GDPR.
We’ve seen very recently that mistakes can happen easily with Europol secret data found stored on a hard drive, accessible without a password over the web. Earlier this year, we heard again about the ripple effect of the Dropbox attack where over 60 million sets of credentials were obtained. Dropbox may have acted quickly to get users to change their passwords, but how many other online accounts had they used those same credentials for?
If organisations like Europol which are so tight on security can make mistakes, it brings into stark reality how much inherent risk there is for businesses if the right approach is not taken to educating employees, as well as having the right technology, to protect data at rest.
EU GDPR, may still be over a year away, but it is clear that a lot of work needs to take place across the business and technology world. Do not think about the work you need to conduct in this area as simply about what you need to do to comply. Conducting that root and branch review of people, processes and technology is an opportunity to ensure compliance, but also safeguard against accidental transmission or loss of data and devices, as well ensuring that all critical data is encrypted at rest.
For more information on the GDPR and how you can prepare read our free guide!