The changes will stick because they bring with them the need for a named person to be responsible and to face criminal charges if the company gets it wrong. They also come with fines of up to $20m or four per cent of a company’s global turnover.
The regulations will cover any company which holds data relating to a European citizen. So not just companies within the European Union, but any firm wherever it is based which stores or processes data about European citizens.
One of the major changes is ensuring privacy by design. You will need to justify the data you collect and data that you keep. You will need to prioritise that data and encrypt, anonymise or otherwise protect any information which you store.
You will need to have a named compliance officer to ensure you’re following the rules and that person is criminally liable for failures.
There is a detailed disclosure clause – if your company suffers a successful hack you have to inform regulators within 72 hours.
Customers also get the right to near instant data portability – you need to be able to tell them what data you hold and provide it in a readable format should they request it.
For many companies this will be challenging enough.
They will need new people, new processes and possibly new equipment to prove that they are following the rules.
Some claim Brexit will make this null and void. But the regulations will come into force some months before the earliest possible date which the UK can leave the union.
There are some other strong reasons why UK firms are likely to follow the rules regardless:
It is highly unlikely that a UK politician, or a UK business, will see an advantage on campaigning for weaker data protection in a post-Brexit UK.
Even if they did so no business will want to follow two sets of rules – one for UK customers, one for those in the European Union. Indeed some companies are already shifting data centres to EU territory in order to avoid this situation.
If we did decide on a new set of rules they would need to prove ‘adequacy’ – they will need to be as strong as GDPR.
So the UK will very likely follow rules which are almost identical to GDPR.
The UK’s new Information Commissioner Elizabeth Denham made this clear in a recent speech.
She said: “The fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow. It is fundamental to the digital economy. In a global economy we need consistency of law and standards – the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent. For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK. “
She added: “The future of the law is an opportunity for government too. Being ‘open for business’ means more than just saying you are. It means having a digital economy, being digitally enabled. And data protection is central to that…
When the UK leaves the EU (based on what we know today – 2019 or later) a new data protection law will need to be in force. “
Lots of vendors are starting to offer “GDPR compliant” kit but don’t be fooled. These changes are about a lot more than just buying some more kit.
You need to look at the fundamental processes around data protection from the ground up.
Every piece of data you collect needs to be justified and if it is going to be stored then the right levels of protection put in place whether that means anonymising, pseudonymising or encrypting it.
Any form of further processing must also be justified. You need to be in position to tell people what data you hold on them and if necessary provide it to them in a portable format.
Tim Grieveson, chief cyber and security strategist at HPE, said: “This is a fundamental step change for business. We need to find 28,000 data compliance officers across Europe and make sure they have the right training and the right status within the business. But it is also an opportunity to look at your security holistically, to get the right people, processes and technology in place. It is also a chance for security to be seen as enabling the business not just a tick-box exercise.”
Grieveson points out that GDPR is a chance to take a data-centric view of security. Firms should take the opportunity to do a full audit report of the data they hold and then “bake security in” – security should be built in from the very start of projects not just added on at the end.
The new legislation is also a chance to mobilise the whole workforce – cyber security is now a business risk not just a job for the IT department. It also requires organisations to look at both internal and external networks to ensure all of them reach a baseline of basic security.
However good your security is you also need to know what you will do wrong if there is still a problem.
You need to have a detailed plan in place if there is a breach. Most organisations would struggle to detail what data was missing within 72 hours of a hack.
Under GDPR you have 72 hours to inform regulators what data has been compromised.
But the average hacker can be inside a company’s systems for 146 days before he is detected and mediating that attack typically takes weeks.
So companies will need to react much faster if they are hacked.
Recent high profile telecoms hacks, and their aftermath, have shown that you must also be certain of your facts before making any public statement.
Grieveson predicts 2017 will be “the year of the data bandit”. He said: “Hackers used to want to steal credit card numbers but now it is about stealing a package of data which they can more easily monetise. You need to identify and protect the components of that package and effectively protect the assets which the bad guys want to steal.”
The smart business will see GDPR not just as a minimum standard to reach but a chance to fundamentally re-think how they treat privacy and security within the organisation.