Consensus at last - but what does the EU General Data Protection Regulation mean for you?
Discussions over the EU General Data Protection Regulation (GDPR) have rumbled on since 2012. Consequently, it's understandable that this week's breaking news about a final agreement over the legislation already seems like old news. However, while it may have been almost three years since the need for change was acknowledged, the regulation as it stands today is vastly different to that under which organisations currently operate.
As a result, there is an inevitable widespread need for an update to policy, procedure and technology. With the regulation on track to be formally adopted in January 2016 and enforced a short two years later, organisations need to evaluate, implement and adopt processes and technology now, so they don’t fall foul later.
Two points to watch out for
Across the board, two of the most significant changes to be introduced are mandatory reporting of data breaches that are 'likely to harm individuals' within 72 hours and hefty fines of up to 4% of global turnover for non-compliance (the ICO's current maximum of £500,000 will pale in comparison for many large organisations).
Mandatory notification is expected to result in a rise of in the number of data breaches being reported - not because more breaches are happening but because fewer can be swept under the carpet. Consequently, organisations will be forced to open themselves up to scrutiny, with regulatory bodies looking at how the sensitive data they handle is protected throughout its lifecycle. Any shortcomings will be exposed and will count against them.
As we recently examined, TalkTalk's data breach from October 2015 is estimated to cost them £35m in one-off costs alone. We need only add 4% of their global turnover to that and we can see why the EU GDPR will be keeping CFOs awake at night!
The good news is that now there's clarity, there can be action. Boards across Europe need to immediately start planning and implementing the right processes, training and technologies to protect the entire lifecycle of their data so they're prepared for when the regulation is enforced. We can see from previous breaches that it is the small slip ups, caused by human error, that have been the most common and largely the most damning. As a result, security policy need to be matched with user training and education, and underpinned by smart, intuitive technology. Getting a head start on this now can only pay dividends in the future.