Major changes to EU data security legislation are expected to become law in 2015; however many UK organisations have yet to ensure they are compliant. Organisations with more than 250 employees are likely to be required to appoint a Data Protection Officer. Businesses deemed to be in violation of the General Data Protection Legislation (GDPR) could face fines of up to €100m or five per cent of their annual worldwide turnover.
Despite the threat of fines, many UK businesses remain unaware and are definitely unprepared for the legislation and need to be taking steps now to ensure that both they and their cloud service providers are compliant with the new laws.
The change has been bought about through the desire to standardise data security regulations across all 28 EU member states. The new regulations are also providing citizens with greater control over their personal data and how it is used by businesses. Once the law has been introduced, data breaches will need to be reported to regional officers within 24 hours and organisations will be subject to audits to ensure they are compliant.
Neil Cross, Managing Director of Advanced 365, offers his five top tips for organisations working towards compliance and looking to ensure they are covered before the legislation becomes law.
1. Assess existing data storage arrangements – Organisations must first establish what data they hold, where it is held and the geographical location of the data centres they use. Hosting data outside of the EU could, in some cases, contravene the new legislation, so businesses must act now to understand how they are affected and seek new hosting facilities where required. Data migration to a facility which will ensure compliance is by its very nature a lengthy process and a project which is underway but not complete may not be sufficient to satisfy the regulator.
2. Review existing security policies – CIOs need to look carefully at how data is accessed and processed and examine their existing security policies to ensure they support a compliant solution. For example many organisations hold data security accreditations that only apply to specific regional divisions or departments as opposed to the business as a whole yet wherever data is accessed it will fall within the requirement for the same level of control.
3. Formalise reporting – Businesses should implement a breach notification process so that any infringements can be reported as soon as they are identified. Data breaches must be reported within 24 hours of taking place to the relevant data protection authority in the country in which an organisation is based, thus the internal processes need to be geared to support this requirement to ensure compliance.
4. Promote best practice – Every employee in an organisation – from the top down – needs to be aware of the severe implications of data security breaches. Establishing staff training programmes is imperative and data usage policies must be rigorously enforced. Senior management need to work closely with IT and HR to make sure policies and programmes are implemented as soon as possible.
5. Work with a specialist service provider – If time and resources are limited businesses should consider outsourcing data hosting to specialist managed service providers. They should look for companies which offer hosting in regional data centres that ensure compliance and combine this with proven expertise in data security. Businesses should only engage with hosting providers that are compliant with the new legislation.
"For many businesses, outsourcing data hosting will be the most practical and cost-effective means of achieving compliance, however, CIOs and their teams must ensure that potential suppliers are themselves fully compliant with the new regulations. Organisations which suffer data breaches caused by negligent cloud service providers will share liability with them. Due diligence has never been so important.
"As the new regulations come into effect we are almost certain to see some fairly rapid and high profile cases being bought up before the courts to test the new powers, we want to ensure that it is not any of our clients who experience this unwanted public attention."