BY mark pearce, PA DIGITAL trust and cyber security EXPERT
Today’s companies hold huge amounts of personal data, but few of them have a comprehensive picture of exactly where that data is held or how it is protected. In a world where supply chains are getting longer and technology is enabling more outsourcing of data storage, managing customer data safely and effectively has become an increasingly complex task.
Up until now, organisations have not addressed their data protection and privacy vulnerabilities in a consistent way. However, the arrival of the EU’s new General Data Protection Regulation (GDPR) places a much higher importance on visibly protecting confidential information, significantly greater requirements that need to be met and much stricter penalties should an organisation experience a breach. Putting the reputational impact of any breach to one side, organisations will face fines of up to 4% of global gross turnover or €20 million – whichever is greater.
While some of the finer points of how the new requirements will be put into practice are still being ironed out, and with others only being determined once they have been tested through legal challenges, it is clear companies cannot afford to wait until the regulation is set in stone. They must act now to find out where their data is held, how secure it is and whether they are able to comply with the new requirements.
What does the GDPR mean for you?
To begin answering this question, organisations need to understand the scale of the challenge. When new regulations are imposed, many assume that compliance can be achieved with changes to a few administrative processes and technical upgrades. But the reality is that the GDPR will pose greater challenges around the management of data which companies hold, and some of the required systemic changes will be very time-consuming and resource-intensive. It is therefore critical that action starts now.
When it comes to who manages data, how it is managed and what happens if things go wrong, there is a wide-reaching set of new requirements. Of particular note (and in some cases, concern) is the application of the regulation to all organisations that hold information about EU citizens – irrespective of their location. In addition, organisations will need to explore the implications of the strengthening of individual rights, such as the right to be forgotten and the need to carry out privacy impact assessments. And if things do go wrong, organisations will need to notify any breach to the regulator within 72 hours – this is a significant step up from the previous (and non-specific) expectation of a “reasonable” time for notification.
The new requirement for unambiguous consent for data usage is another area where significant changes in approach will be needed. Organisations should start work early to define their specific consent model as this will have far-reaching ramifications on the systems and processes they use to capture data. The consent model must ensure control over their data remains with the individual – one of the main aims of the GDPR.
Another important change is the need for proactive governance of third parties who process information. The increased use of outsourced vendors and suppliers means organisations must take care to identify where and how information is processed, transmitted and stored, and have clarity over who the designated data controllers and data processors are.
To respond to these changes effectively, organisations need to assess their current position and how ready they are to meet the new regulation. Given the complexities and lack of information about where and how data is held, this may not be straightforward. This should be followed up by a detailed GDPR gap analysis to identify specific areas of non-compliance. More detail can then be drawn out in a specific privacy impact assessment which should then allow organisations to be clear about the action they need to take when it comes to governance, processes organisational structures and technical requirements.
It is clear the GDPR is already on Board agendas, but what many have not yet grasped is its full implications and the way it will expose wider weaknesses in current data management. We worked with one company that found that 65% of its third party suppliers were not meeting their security requirements – and such failures are likely to be common. This underlines how the GDPR will raise the stakes and how organisations need to focus on securing the support and skills they need to address its challenges. The GDPR – with its new requirements and penalties – is a game-changer for data protection.
Find out more about PA's thoughts and experience on GDPR here.