Well, the 5th to be precise, but here’s why you should be panicking…
Personal Data Protection is finally taken exteremely seriously
Mark your diaries. There’s an EU directive coming called the General Data Protection Regulation (GDPR). It represents the most significant change to data protection in the EU since 1995, and replaces the Data Protection Directive (officially Directive 95/46/EC) of that year. In a nutshell, it allows for a harmonisation of data protection regulations across the whole EU, simplifying the regulatory environment for international business. On the 5th May however, the EU commission will release the 261-page final draft and we will finally see exactly what GDPR entails. A two-year transition period after that will see the GDPR officially adopted in 2018, and with the force of law across all 27 EU states.
“If we thought digital was the ‘new oil’ then we discovered that it’s also the ‘new asbestos,” says UK Information Commissioner Christopher Graham. “Privacy is about managing the threats as well as the opportunities.” After all, developments such as cloud services and the Internet of Things are world changing, but if we’re to reap the full economic and social benefits of such progression, it’s vital to eliminate this consumer perception that doing business digitally is inherently risky. The European Commission intends to give citizens back the control of their personal data with the GDPR, but it comes with a strict compliance regime and severe, potentially devastating consequences for business just like yours.
GDPR has now raised the stakes…
Currently in the UK, the Information Commission Office hand out the occasional minimal fine and rarely seem to prosecute. However, with the GDPA coming into play and the ICO forced to grow larger and more frightening teeth, prosecution and fines will rise suddenly and impact many. It will no longer be a case of huge brands shrugging off £500,000 fines; whatever the size of your company, there will be serious enforcement and could be serious consequences. Regardless of size, all companies and their boards should be paying attention now. Shareholders will be definitely be interested in the measures that your business plans to take.
No one wants to be associated with large-scale security breaches even without GDPR to think about, but take Morrison’s for example, whose 2014 data breach involving the personal details of 99,998 employees resulted in 6,000 of those employees taking legal action against the company. The financial and reputational damage that Morrison’s suffered would be far, far worse with the new GDPR in place. Companies who fail to play by the new rules face fines of up to 20 million Euros or up to 4% of global turnover - whichever is greater. “All major retailers should take the Morrison’s data breach as a warning,” says Alan Calder, the IT Governance’s founder and Executive Chairman.
GDPR will affect all within the EU, particularly data and technology related businesses…
2018 will come a lot quicker than you think, too. You need to start prepping immediately and begin the process of reviewing your current practices relating to governance, control, organisation, processes, sourcing and technology. It will affect every single area of your business, from HR to IT. Even marketing departments will feel the impact as they’re forced to impose tight controls over any data held for marketing purposes. GDPR’s Article 37 is of major importance and states that you will likely have to hire a Data Protection Officer who understands how to handle data and assess risks, for regulatory compliance, staff training, supervising etc. Two years sounds like ample time to ensure your business will remain compliant when the new rules come in, but it’s really not once you start to look at the scale of changes you will need to make.
A large part of preparing is raising awareness of the GDPR within your organisation. There is already a concerning lack of education relating to data protection and privacy, yet it will be essential for the GDPR’s success. According to a 2015 Ipswich survey of 316 European organisations, over half of respondents admitted they were not ready and didn’t even know what GDPR meant. Furthermore, only 13% said they planned to spend more time understanding and preparing for the regulation. However, the compliance minefield will soon be even more dangerous, with even more mines as the definition of ‘personal data’ is set to broaden, too. That ‘personal data’, whether a name, a photo, an email address, bank details, social networking posts, medical information or a computer’s IP address, is also easier to lose than you think. There has been a dramatic increase in cyber-attacks – 55% of UK businesses have fallen victim in the last two years - and most businesses have no idea how vulnerable to attack they are. Cyber-crime is constantly evolving and patchworks of outdated security systems do not offer the sort of protection that Wallix does.
Time to get your house in order…
Compliance is finally catching up with the times and if you didn’t care before, you certainly should now. Soon, if a security breach occurs and your business has failed to take the now vital steps to protect your data, it won’t be a slap on the wrist; your directors will actually be going to prison. Fortunately, we’ve got you covered.
WALLIX’s WAB suite lets you control, oversee, monitor and record administrator sessions across multiple systems, so you always know who’s looking at and doing what across your systems. We’ll protect them so that hackers can’t use exposed admin passwords to gain access to your data, and help your company comply with the new standards, building a policy around your administrator accounts. So, if you’re audited before, during or after a security breach, you can rest assured that you won’t be in any trouble with the EU Commission. Our commitment and expertise in helping businesses protect themselves and their data from the ever-evolving range of cyber security threats is unparalleled, and our practical approach will help you improve your defences and rest easy when Spring 2018 comes around.
If you wait any longer, your business is really going to struggle once the new rules come into play. So we’d better get cracking. As often happens with regulation, it’s probably going to take a whipping boy for most organisations to really understand the gravity of the situation. Don’t let it be you.
Follow us as we continue to report on how can help companies through the complexity of operational compliance.