Picture the scene: you’ve had to hire a data protection officer; you’ve got a strict plan in place to notify all of your customers about breaches as soon as they happen; all of your data is encrypted and your company now has an insurance plan to help guard against data fines. This scene is in stark contrast to the security and compliance measures that many businesses currently operate under, yet this is expected to become standard practice, and the deadline to comply is fast approaching.
The European Union’s Global Data Protection Regulation (EU GDPR) is expected to come into effect in 2017 and will transform how businesses approach compliance and data security. This newly proposed legislation will impact all organizations that process the personal data of EU citizens. So what does the compliant organization of the not-so-distant future look like, and how can organizations ensure they meet these standards in time?
A tour around the organization of the future:
The data protection officer: Any organization with 250 or more employees will have to employ a designated data protection officer. This individual will have to be properly trained, and must oversee and take responsibility for data protection across the company.
Keeping the customer in the know: Should a data breach occur, organizations will be obliged to notify all those affected, unless it can be shown that the data in question is unreadable/encrypted. For example, if 100,000 customers’ data is lost, via a stolen employee laptop, then every single customer would need to be informed that their data may have become compromised (unless that device has been rendered inoperable and the data is encrypted).
Strict deadlines: In event of a data breach, be it accidental or the result of malicious third party hacking, the authorities need to be notified within the first 24 hours. Ideally an organization should know the origin of the breach and already taken active steps to contain it by the time the authorities get involved.
Threat of heavy penalties:
Companies that do not comply with these standards will be leaving themselves open to huge potential losses. Businesses will become liable to fines of up to 2% of their corporation’s annual global turnover, or up to €100 million turnover – whichever is greater. Compared to the current maximum fine in the UK of £500,000 from the Information Commissioner’s Office, the EU GDPR will drastically raise the stakes. In addition, with breaches becoming a regular topic to hit the headlines, loss of reputation and customer trust can be just as damaging.
How to prepare for 2017:
Although 2017 may seem a while off yet, it is vital that organizations aim to become compliant as soon as possible. There is a lot of ground work to be done, but if businesses start preparing now, the new laws will be more easily navigated once the EU GDPR comes into effect.
First, staff throughout the business must be made aware of the upcoming legislation, and what this means for their role within the company. The news is constantly highlighting the lack of awareness that surrounds the EU GDPR, and so the education of staff will be critical in reducing the likelihood of human error induced data breaches.
Once employees are aware of the impending legislation, a clear and robust policy needs to be created and made available for the whole organization. This policy shouldn't be written in overly legal or technical language, but rather in a tone that all employees will understand. That way, both the company and employees are kept fully in the loop on what they're allowed to do with corporate devices and the responsibility they have when it comes to protecting corporate data.
Finally, companies should look towards using an underlying technology solution which can protect the business in the event of a data breach. To comply with the EU GDPR it is vital for businesses to be able to persistently secure all devices used at work, as well as the data stored on them. Most importantly the technology used will also allow a company to prove that compliance processes are being properly enforced and followed.
As we edge ever closer to the official launch of the legislation, there will be two types of organizations; those that will only start making changes to their data protection policies once the law comes into force, and those who are already prepared. The latter, of course, have the upper hand. By clarifying data protection policies, educating employees, deploying data protection software, and for those larger organizations, hiring a data protection officer, organizations can avoid a data protection nightmare in 2017.