A lack of preparation, locating data and unreliable data removal methods are hampering organisations as they look to meet the conditions set out by the European Union’s General Data Protection Regulation (GDPR). The GDPR, which comes into effect on 25 May 2018, introduces new accountability obligations and stronger rights and restrictions on international data flows for businesses handling data about EU citizens. Yet, with less than 12 months to go until the rules become law only 30% of the UK’s businesses have started preparing for the GDPR. Indeed, a report conducted by YouGov and commissioned by law firm Irwin Mitchell found that not only are firms ill prepared for the changes in data protection law, but more than two thirds do not realise they risk heavy fines should they fail to follow the guidelines.
With companies facing fines of up to 4% of their annual turnover or €20 million, depending on which is higher. However, of the 2,000 businesses questioned, 18% of businesses did reveal that ‘the size of the fines are likely to put them out of business’ whilst 21% admitted ‘that being fined on such a high level would force them to make redundancies.’
“Contrary to popular belief, personal data is not just consumer information,” Joanne Bone, partner and data protection expert at Irwin Mitchell. “It is hard to think of a business today that does not use personal data. Whether you have employee data, customer data or supplier data – if the data relates to an individual you will be caught by the new data protection laws.”
For some, actually locating that data is likely to be the biggest challenge when it comes to the GDPR though, with some global organisations ashamedly admitting to not knowing where it is even stored, reported Computer Weekly.
According to the EU GDPR: Countdown to compliance study by the Blancco Technology Group, which polled 750 corporate IT professionals in the UK, US, France, Germany and Spain, finding customer data remains a big hurdle to meeting the GDPR’s right to erasure. Furthermore, the study suggested many firms are using unreliable data removal methods to erase content – something that can be put down to a lack of investment, improper handling and storage of IT equipment, plus a lack of data removal software.
Surprisingly, basic deletion methods that undermine security and compliance still feature heavily in France (34%), the US (28%), Spain (26%), the UK (24%) and Germany (23%). In the UK 33% of businesses still use free data wiping tools without proof of erasure.
For those firms seeking compliance, Blancco suggests change begins with a data protection gap analysis, with 41% of American organisations currently undertaking this and 43% of British organisations intending to do so in the second half of 2017. The first priorities for firms should be finding the data and gaining a complete picture of all data that is collected, stored or processed that contains EU citizen information.
“After that, companies must ensure that adequate means of protecting that data have been implemented, such as access being restricted to authorized personnel, proper authentication being used and proper procedures for backing up and archiving data and data sanitisation policies being implemented to remove data when it is no longer needed or requested by customers. “In addition, any third parties that have access to the data must be evaluated to ensure they too have adequate controls in place.”
Meeting the 72-hour data breach notification rule and maintaining written records of data processing activities were also top priorities for American organisations, with 25% respectively, whilst 22% of UK firms were most concerned with maintaining written records of data processing activities for GDPR.
The consensus from businesses over the last year or so is that the EU is likely to make an example of at least one high-profile target, warned Elliott Haworth in City A.M.
A recent survey from Varonis leant further weight to this, suggesting that the banking and financial services sector would be the first to suffer – particularly concerning to FTSE firms. In an attempt to estimate the effect on share prices, Oxford Economics examined a sample of 65 “severe” and “catastrophic” cyber security breaches during the past four years across seven global stock exchanges. The cost to shareholders? A cool £42bn
This regulation drives home the significance of data governance to an executive level, said Haworth. With ‘the potential fines for failed compliance, the fallout from reputational damage, and the requirement for some businesses to assign a data protection officer’, it ‘should be enough to alert the City to its magnitude’.