Almost two years ago, the European Union signed the General Data Protection Regulation (better known as the GDPR) into law, allowing for a 24 month period before the regulation would become binding to allow organisations and businesses time to comply with its requirements. At the time of writing, the GDPR will come into force in just eight days, a thought which may strike fear into the hearts of many business owners who are not going to be fully compliant by the deadline. So what exactly is going to happen, come Friday the 25th of May? We’ve taken the time to compile some information and predictions to help cut through the noise and focus on what’s important.
The GDPR, which replaces the 1995 Data Protection Directive, was adopted on 14th April 2016 and will become enforceable on 25th May 2018.
The most important thing to note is that the 25th of May will just be another day under the GDPR. It’s not a “snapshot” moment where each business will be checked for compliance and fined/passed accordingly, but the beginning of life for businesses under an enforceable General Data Protection Regulation. The GDPR will evolve as time goes on and businesses will have to keep evolving in order to meet its requirements. So with that in mind, here are a few points to bear in mind next week.
No maximum-penalty fines, at least initially
Most people in the business sphere will be familiar with the new, increased potential fines under the GDPR. Once the regulation is enforceable, businesses who are found to be non-compliant can face fines of up to €20 million, or 4% of global turnover, whichever is higher. However, don’t expect your local dentist to be hit with a multi-million Euro fine for not having up-to-date antivirus – as regulators such as the UK’s Information Commissioner’s Office have stated “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm … We have always preferred the carrot to the stick”.
In other words, the maximum-penalty fines will be decided using discretion, with smaller fines for companies who make small mistakes, and larger fines for companies who knowingly deny an individual their new rights to data portability, erasure and access. Once time has passed, we can expect to see fines increase as regulators crack down on repeat issues and major non-compliance.
It’s also worth noting that regulators will be able to legally suspend data transfers from a non-compliant organisation to so-called third countries (non-EU countries such as the US, and potentially even a post-Brexit UK). Such sanctions could put a modern organisation out of business quicker than any fine.
Incidents involving suppliers and third-parties
Accountability is one of the biggest tenets of the GDPR, and is going to cause a change in how organisations deal with third-party suppliers. The GDPR specifically speaks about Data Controllers and Data Processors, and will hold both parties accountable in the event of a data breach or non-compliance. Picture this, a small company puts a lot of time into ensuring they are compliant, as they are EU based and deal with EU citizens. However, they outsource their payroll to a company in the US, who suffer a data breach. In this scenario, both the EU-based company and the third country-based company are held responsible for EU citizen data being mishandled.
Most modern organisations will have a supply chain that is quite a bit more complicated than the above example, making it difficult to map where data is flowing and ultimately secure it. In fact, it will be a punishable offence under GDPR to outsource data to any company that will not process it in a GDPR-compliant manner, even if they are based outside the EU. Due to this, it is highly advisable to vet each external organisation that processes data on behalf of your organisation, and if possible get agreements in place with them that bind them to processing your data in a GDPR-compliant manner.
Some companies will continue to cover up breaches
As in the past, we fully expect that some organisations will continue to try to brush their data breaches under the carpet instead of reporting them to data protection authorities as they are legally required to. Yahoo was faced with huge consequences after it attempted to cover up a data breach, knocking $350 million off its value overnight when discovered. Despite facing huge fines for covering up data breaches, in addition to irreversible reputation damage. Covering up a data breach is a tactic that has proven to fail, usually with dire consequences for the organisation attempting it.
However, some organisations may under-report data breaches due to not having all the necessary information on hand. The GDPR mandates a 72-hour period within which the affected organisation must contact data protection authorities. Some organisations may not detect data breaches internally, but find out about them externally when the data itself is leaked, putting them in a race against the clock to find out what happened and report the relevant information within the 72-hour period.
Under-reporting can also be met with large fines under the GDPR, so it will be important for all organisations to continuously monitor their networks and have a robust incident response plan in place.
Cyber criminals use the GDPR to their advantage
Ransomware has been a growing threat over the past few years, but cyber criminals aren’t stopping there when it comes to extorting money from legitimate businesses. One of the latest type of attacks to gain traction with criminals is DDoS (distributed denial of services), in which criminals overwhelm a company’s website or other critical system with fake traffic in order to stop it from functioning. Initially, DDoS attacks caused trouble for organisations but didn’t really benefit criminals. However, lately some cyber criminals have begun to adapt the ransomware model to fit DDoS attacks, threatening to shut down company websites with DDoS if they do not pay a ransom.
Cyber criminals will use any avenue they can to make money, and the GDPR is going to provide them another avenue to do this, unfortunately. After committing a cyber attack on a company, cyber criminals could well turn around and threaten to report them to data protection authorities, where they could face heavy fines and sanctions under the GDPR. All the criminals have to do is steal data from an organisation using ransomware other similar means, work out what fine they might get under the GDPR, and then charge a ransom slightly less than that. And some companies, ill-advised as it may be, might try to pay them off to keep their reputation and bank balance intact, thus reinforcing the behaviour.
GDPR will be an ongoing process
The 25th of May is the beginning of the GDPR, not the end. It will not be make-or-break for companies, and the regulations will not go away the next day. The GDPR is a continuous process that will change and evolve over time. In that sense, it’s likely that the beginning of the GDPR will be as confusing to regulators as it is for companies, as they feel out the new laws and how they will react to breaches and various issues that may crop up. Hence, they are likely to go easier on companies at first until they have found the right balance and precedents have been set.
Non-compliance with the GDPR will be as much a business risk as a security risk, and boards will need to formulate a strategy across the organisation – including IT, legal & compliance departments.
One thing’s for sure, data protection will never be the same again.