It is little more than three months until March and the touted date for the UK to activate Article 50 to start the formal process of leaving the European Union. Uncertainty still prevails in the whole Brexit debate which is sure to maintain its spot of prominence in headlines and news bulletins across the country well into 2017. You may be worried from those opening lines that what follows in this post will be more of the same conjecture.
But you’d be wrong.
This post isn’t about Brexit, whatever form it may take. Honest. We’re not about to weigh up the whole hard vs soft and its implications for cybersecurity. In fact, this post is entirely centred on a certainty. The two-year negotiation window to exit the EU means that even if Article 50 is invoked in March 2017, the certainty is that when GDPR comes into force on 25th May 2018, UK businesses will need to be ready.
The General Data Protection Regulation, which aims to bring data protection laws across the European Economic Area under one umbrella legislation – designed to allow EU citizens greater control over their data, while bringing clarity to the obligations of data controllers and the companies that hold those citizens’ data. This is why it will apply to any person or entity that processes EU residents’ personal data, be that in order to offer goods or services or to monitor behaviour.
As with most things that involve huge legislative change, the night is darkest just before the dawn of the era of GDPR. Businesses across Europe are poring over the regulations, assessing how it will affect them and the data they hold and making sure they’re ready to meet the new law’s demands.
The regulation, similarly to the ageing Data Protection Act here in the UK, pertains to personal data, though the scope of what is considered personal data is far more detailed and includes any online identifier, including IP addresses, can be considered personal data. This is in response to the increased ability for businesses to collect data on their customers and people interacting with their content facilitated by technological advances in recent years.
GDPR goes beyond the DPA in other ways, including to cover certain manual filing systems where personal data can be accessed in specific cases, and pseudonymised data – in any case where the pseudonym can be attributed to a specific individual without huge difficulty.
Any data loss can result in steep fines, as can non-compliance on the part of data controllers or processors – up to 4% of global turnover or €20 million for data breaches depending on which figure is higher. This marks a huge increase over the current maximum under DPA of £500,000 and reflects the amount of damage that can be wreaked upon individuals’ privacy should their data be stolen by threat actors or lost by negligent or non-compliant organisations.
It’s not just data controllers at risk of these increased penalties either. Liability will be shared between data controllers and data processors in the case of data loss incidents, meaning that even if these responsibilities are shared between separate companies or entities, both will face fines following a data breach.
Want to avoid these fines? Well, breaches can’t just be swept under the carpet. Under GDPR, data breach reporting will be mandatory, and handily, included with the GDPR are guidelines for reporting breaches – minimising excuses for delayed reporting. Enhanced personal reporting responsibilities are placed on organisations should data exposed in a breach lead to an increased risk of the safety or freedoms of the individual affected. Companies are at risk of a fine if a breach isn’t declared to the relevant supervisory authority within 72 hours without serious justification.
So, it’s simple. The best way to avoid such hefty fines is to make sure you’re well prepared for GDPR.
Commissum’s independent expertise in all aspects of information security means we’re perfectly positioned as subject matter experts to advise you on any aspects of the approaching GDPR deadlines. We offer solutions for testing services, training, and ISO 27001 consultancy and mentoring to help you establish an Information Security Management System (ISMS) which helps you to protect the data you hold in a managed fashion and keep abreast of compliance requirements.