GDPR is Coming in Less than 12 Months – Is Your Business Protected?
As has been discussed vigorously over the past few months, you may be aware of GDPR – General Data Protection Regulation – which is a EU based legal framework designed to protect your customer’s personal data. It goes further than the Data Protection Act and is much more specific on what personal data is, how it is defined, what should be retained, why it should be retained amongst other areas. GDPR comes into force on 25th May 2018.
Whilst this is an EU directive, it is a legal framework that is being administered in the UK by the Information Commission Office (‘ICO’). The ICO is the UK’s independent body set up to uphold information rights and they took 200,000 calls on their helpline last year to deal with privacy regulation and other digital impact on data protection.
The legislation covers such areas as prevention and reporting aspects which will be assessed by the ICO to make a decision if penalties should be incurred. As we have no historical or evidential cases to reference we can only go on what we have been informed of. This related to organisations having to create a prevention strategy, appoint a Data Protection Office (in larger organisations), process and controls being placed on personal data in alignment with the legislation and the reporting timeframes of a breach (72hrs) which have to be adhered to.
If you think of the serious breaches that have resulted in a multi-million user identity breach that have happened over the past years – indeed Symantec’s Internet Security Threat Reports puts these as significant. Such recent examples have been Yahoo (on more than one occasion) and Tesco Bank. As noted in Symantec’s ISTR report for 2017, these grand scale of breaches are on the increase:
“Personally identifiably information (PII) is any data that could potentially identify a specific individual. For example, information which could differentiate one person from another. This is all considered PII and is therefore covered by the GDPR.”
This PII is further defined as even being as granular as a user’s IP address in alignment with other personal data such as name, email and other identifiable data.
Gartner have recently reported that their expectation is that more than half of companies affected by the EU GDPR regulations won’t have conducted enough preparatory or protection work by the time it comes into force.
One of the key drivers that has created such a stir in the market is that the fines and penalties for non-conformance are so punitive. A minimum €20m fine or 4% of the global turnover could be imposed for any serious breaches of the regulations. In the recent example of Tesco Bank, the fine could have topped £1bn as the Tesco group turnover may have been taken into account.
There are many vendors that have some sort of solution to cover aspects of the GDPR challenge. Microsoft’s Corporate VP and General Counsel, Rich Sauer, reveals that the company has started publicly offering contractual commitments regarding this particular EU law, stating that this step was taken to “provide key GDPR-related assurances about our services”.
“We believe privacy is a fundamental right. The GDPR is an important step forward to further clarify and enable individual privacy rights and look forward to sharing additional updates how we can help you comply with this new regulation and, in the process, advance personal privacy protections.”
The bad news is that this isn’t going away, our interaction with European customers means that Brexit won’t affect this, but more ethically, it is good practice to adhere to these issues with cyber-crime on the increase. What this will drive is an understanding of what the risks are that may have been unknown before and how you can replicate personal data with corporate data protection. Data is now pretty much the most important asset within an organisation; be that the IP of a company’s software development, their customer lists or their business planning data for the next 1-5 years.
The good news is that SCC have developed a GDPR Readiness Assessment to help organisations understand and plan for the 25th May 2018.
SCC and our selected specialist partner, Company85 can architect and deliver proven, benchmarked and reliable results quickly and with a minimum of cost and effort.
Building on the results of the assessment, we use our “Accomplish More” methodology and years of customer experience to determine where the new legislation will require changes to your business and processes. This results in a simple, pragmatic plan to achieve compliance before the deadline.
The GDPR scorecard exercise can be repeated to measure progress and effectiveness of any improvement programme.
Contact SCC today [email protected]
