How does GDPR impact UK Enterprise?
By Nima Baiati Senior Director of Product Management, Absolute
In May 2018, the EU General Data Protection Regulation (GDPR) will come into force. The aim of the GDPR is to have one set of rules applicable throughout the EU, and to ensure that consistent protection must be implemented across all data-processing activities.
The changes to existing data protection rules are not revolutionary – rather, the key principles, concepts and themes of the current data protection regime remain in place. The current EU data protection rules are a reflection of their time in technological terms, after all, they came into force in1995 when the internet was still in its infancy -and back then, only about 1% of Europeans it. Things have changed significantly and there are three very material differences in the new data world:
- A significant increase in the amount of personal data held by organisations
- The number and frequency of serious data security breaches;
- The majority of breaches occur outside of the office environment
As such, the new regulation certainly builds on what is already there, but it does include many new requirements.
Data protection regulations define how an individual’s personal information can be used by organisations, businesses, or a government. The misuse of an individual’s data can have serious long-term consequences, and regulations exist to ensure data is not susceptible to attack, misuse, or misappropriation.
Who is affected by GDPR?
Anyone in the EU who controls data and/or undertakes data processing falls under the GDPR, including the healthcare sector. Organisations based outside the EU are also affected. Even with Brexit pending, it will have limited impact on the implementation of GDPR as it pertains to EU Citizen’s data. So, for example, a French person living in the UK working for a UK company (or indeed a US company) is covered by the regulations.
Data controllers and processors have extended responsibilities and obligations under the GDPR. Controllers will have to put in place technical and organisational measures to ensure (and be able to show) that processing personal data fully complies with GDPR requirements, as the way in which data protection policies are implemented will be of particular significance here. Processors will now have to maintain records of all of their processing activities, ready for disclosure in order to show compliance. In addition, processing on behalf of a controller must be set out in a contract or other “legal act”, according to certain criteria laid down under the GDPR.
UK businesses will therefore have to undertake a more holistic approach to data management. If done properly, knowing where secure data is and where it goes to at all times, should be enough for companies to compensate for the increased workload burden.
A higher protection standard for BYOD
The upshot is that when processing data, UK businesses will have to implement their data-processing operations in accordance with the new regulation. Organisations will have to be more careful with personal data and more exact in knowing where it is stored, and how it is being processed. This is especially relevant where BYOD is concerned.
A number of UK business have a BYOD policy and whilst BYOD may lead to greater productivity, we also know that BYOD can lead to serious data breaches. If an employee’s tablet containing the details of 100,000 customers goes missing, it could lead to very heavy sanctions if the organisation is unable to remotely disable and/or wipe the device. Remote data and device security software can prevent an errant (former) employee from stealing or losing valuable company data.
Mandatory breach disclosure and fines
One of the most important changes under the GDPR is that there will be mandatory data breach reporting. Breaches must be reported to a data protection regulator within 72 hours and those affected by the breach must also be informed. It will be necessary therefore to put in place clear, practical and effective procedures that can be acted upon immediately – this should be at the top of the GDPR compliance checklist. It cannot be emphasised enough how important it will be to undertake training and fire drills.
A key driver behind better compliance with the GDPR are the stricter sanctions. For some infringements, a maximum fine of four percent of the global annual turnover of a business can be imposed. A good example of how this will impact UK organisations is last year’s Talk Talk breach and fine; recently fined £400,000 this fine would be in the multiple millions under GDPR.
The GDPR go-live date may seem like it is far away but companies shouldn’t rest on their laurels. Important actions,like putting proper policies in place, need to happen now. With proper planning the GDPR needn’t be scary, but companies should start planning sooner rather than later.