With the EU General Data Protection Regulation (GDPR) only 8 months away from coming into force, surveys are showing that many businesses across the UK and Ireland are still confused about exactly what the regulation means for them, and may be unprepared for GDPR. A survey conducted of over 1000 IT decision makers revealed that 64% were unaware that customers’ birth dates are considered personally identifiable information (PII), which is especially worrying as any mishandling of such data could constitute a breach of the GDPR and result in fines of up to €20 million. 42% did not realise that email marketing databases contained PII, 32% did not consider physical addresses to be and 21% did not even consider customer email addresses to be PII. In contrast, 85% of these survey respondents reported that they have reviewed the GDPR requirement thoroughly and 79% believe they have done everything they need to do to secure their data. This disparity marks a worrying trend for businesses, big or small.
The GDPR comes into full effect on the 25th of May 2018 – and no one wants to be made an example of
According to this survey, 66% of respondents are dismissive about the potential fines under the GDPR should they not have the required security protections in place. Highlighting a further lack of awareness around certain key GDPR tenets, only 33% recognised that up to 4% of their annual turnover could be lost in the event of a data breach fine. However, most businesses (66%) believed that reputation and brand damage would be the biggest pitfall in the event of a breach. These trends are particularly alarming considering that businesses could be shut down, temporarily or otherwise, in the event of a breach.
Some experts believe that there is a fundamental misunderstanding in many organisations about who owns user data and who is responsible for safeguarding it. 25% believed that the CEO of a business should be responsible, and 23% stating that it’s the job of the CISO or security team. Only 10% see GDPR compliance as an issue for the boardroom, showing that the regulation is still not being taken as seriously as it needs to be. Companies are not much clearer when it comes to data ownership either, with only 27% claiming that data is owned by the customer, while just over 50% thought it belonged to the organisation. According to a poll by Citrix, data sprawl may be contributing to this issue, with the average large business using 24 systems to manage and store personal data, with some using as many as 40 to do so.
The GDPR may trigger a boom for some litigation lawyers, according to legal experts. Once the regulation comes into effect, if a data subject believes their personal information has been mishandled, they may take actions ranging from lodging a formal complaint with the Data Protection Commissioner to take a court case against the data processor to seek compensation. Irish businesses should not take the risk of legal action, and are urged to make sure they have assessed the regulation and their business compliance needs correctly so that they can prepare in time and avoid being unprepared for GDPR when it comes into full effect.
As threats to the security of data increase in both frequency and sophistication, businesses have found they often lack the expertise to combat them. The GDPR mandates that a layered approach be taken to data protection, with many companies implementing state-of-the-art technologies to ensure they are not hit with fines. In particular, Article 32 lays out guidelines around the technological requirements for the safeguarding of data. Specific security protocols/methods are not called out in the regulation (given there are different ways to implement security). However security and GDPR experts worldwide propose that common industry security standards such as ISO 27001 and other similar security standards such as NIST or Cyber Essentials would be a good baseline to help comply with GDPR technical/security requirements. As a result, some typical security practices would be seen to include the requirement to put in place a next generation firewall and next generation antivirus software along with a comprehensive and regularly tested backup & recovery procedures and data protection and cyber security training for staff.
While these measures have long been considered ‘best practice’ in cyber security, many small and medium businesses may not have the skills or resources in-house to comply with the technological portions of the legislation. We recommend that any business who is concerned that their technological measures may not meet regulation standards should consult a Managed Security Provider to properly assess their needs and provide the expertise required to ensure compliance.