Christine Andrews, managing director of data governance, audit and consultancy firm DQM GRC, explains what organisations must do to comply with the EU General Data Protection Regulation due to come into force by May 25, 2018
‘Keep Calm and Carry On’ seems a fitting theme for the finally-published General Data Protection Regulation (GDPR), new European legislation designed to give individuals greater control over their personal information. Assuming, that is, that your organisation already values its customer data.
Unfortunately, for too long, some organisations have ‘presumed’ consent, worked with ‘implied’ permission, experienced data losses that have taken months to detect and report (remember Sony and Target?) and, in some cases such as TalkTalk, have been unable to properly classify which personal data has been compromised. No CEO wants to look as ill-informed as poor Dido Harding, and customers have an absolute right to expect better.
DQM GRC’s new research, carried out in association with DataIQ, shows the extent to which consumers have become both suspicious and savvy about how companies use their personal details. Awareness of data protection controls is high among consumers: 84% have seen cookies notices; 76% unsubscribe links in emails; and 74% have noticed privacy policies. Yet only half say they notice registration forms and requests for their personal data. This suggests that they overlook the starting point of how an organisation comes into possession of their personal information and subsequently makes use of it.
A signifiant proportion (49%) of respondents are reluctant to share details unless they trust the brand or there is a clear justifiation for why they should. Equally, consumers expect companies to encrypt their data and use technology that is properly monitored to prevent hacking and the consequent distress that accompanies those events. This is with good reason, as half of those surveyed have experienced some kind of personal data breach (such as a website hack, account hack or even identity theft).
The research shows that consumer expectations about how their data will be protected align with what regulators endorse: 76.8% expect encryption; 67.5% believe that fiewalls should be kept up-to-date; and half think that usage will be both limited and monitored.
Whilst consumers are perfectly entitled to demand organisations take these steps to ensure their data is protected, implementing these processes may be diffiult for the 18.4% of organisations that say they will need 12-24 months to make the required changes – cutting the twoyear GDPR deadline quite finely.
In some respects, it’s a shame that what’s caught business people’s attention is the headline-grabbing, eye-watering fies of up to 4% of global turnover or €20m, plus the requirement to notify customers and the ICO of unencrypted data breaches. However, if this is what it takes to make companies wake up and realise it is not their data, but our data that we are entrusting to them for safe-keeping, then this is substantial progress. It should certainly help the business case.
So what can organisations do?
Firstly, organisations need to evaluate the personal data they already have, categorising it so they are clear where the personal and sensitive data resides and where other less important data sits in the company. Usually, drafting a data flow map will help businesses understand the pattern of data through the company, provide clarity on who has ‘eyes on’ the data, what skills these people have and, finally, highlight where the data ends up.
Once organisations understand just what personal data they have, they should ensure regular risk assessments are completed in order to understand the degree of threat imposed on the company when processing data. Indeed, the GDPR demands a ‘risk-based approach’ with the development of appropriate controls. In a single stroke, this should ensure that management recognises the dangers associated with the loss, misuse, theft or any other compromise of customer data.
Organisations that pass data on to third parties often assume the latter operate to high standards of data security and protection. However, this is no longer sufficient, as the GDPR states that controllers must only engage with processors who can provide ‘sufficient guarantees’. As the data owner, you must check they have effective ‘technical and organisational measures to ensure the security of the processing’.
Moreover, there is now an essential need for organisations to prepare a breach notification plan in the event that something does actually go wrong. If you’re already clear on what type of personal data you manage (categorisation) and where it is (data flows), then this process will be somewhat easier. However, it’s worth being clear on who will co-ordinate the customer communication, the media response and the remedial activity – and make sure you rehearse this so you are practised in the actual event; look on it as a data breach fire drill.
The benchmark for what organisations should do when they suffer a data loss or breach is set high by consumers; 92% of those surveyed expect to be notified and told exactly what information has been lost or stolen. Many consumers would also expect a public apology, as well as compensation (both 57%).
If consumers are demanding to know what personal information has been compromised in a data breach, organisations will need to classify their data assets. Worryingly, only 30.7% have done this for all their data types and one in five are resistant to the idea, with 11.4% saying they wouldn’t do it and 9.7% saying they would only do it if required to do so by law.
One of the best forms of data protection is to ensure all parts of the organisation involved in using personal data are included equally in data governance processes. This ensures all functions operate to a common standard, which is vital in the event of a data breach. It is also important for organisations to try and spot trends in data problems that occur rather than recording issues separately. Otherwise there is a risk that each incident will be seen as unique, rather than having common root causes that can be rectified to solve the entire issue.
Finally, it is vital that organisations implement an engaging staff training programme to ensure all employees are aware of the valuable asset they are dealing with and understand the need to manage data securely. Data security is an important component of building consumer trust and confience. All organisations should respect the personal data they have in their possession and treat it like their very own – otherwise the new ‘privacy aware’ consumer may decide to take it elsewhere…
Pat Clawson, CEO, Blancco Technology Group:
“The countdown to 25 May 2018 has begun and many organisations have a considerable amount of work ahead of them to align their IT governance and data protection programs with both regulatory and customer demands. Negotiations stretched out over the last four years but now that the EU GDPR is a reality there will be many having to scramble to get their act together and prepare for these stringent new data protection rules.
“My advice to them would be to start planning now and to treat the Regulation as a starting point rather than the finishing post. Going the extra mile to show you value your customers’ data simply makes good business sense. But when that trust is eroded, we’re talking about more than just immediate losses; we’re talking about a longterm impact on sales, reputational damage that can be really tough to recapture and even employee turnover.
“The legislation affects every organisation that offers services inside the EU and with potential fies of up to 4% of global turnover this may well be the shot in the arm we need to fimly establish the protection of corporate and customer data as an issue that is regularly evaluated in the boardroom.”
To help businesses prepare for the EU GDPR, Blancco Technology Group has created a 12 step action plan for compliance, which can be downloaded from
Nigel Hawthorn, European spokesperson, Skyhigh Networks:
“While the files are highly significant, there are other aspects of the ruling that businesses must take notice of, for instance the potential for collective redress. If businesses are challenged by data subjects over the misuse of information, it may no longer be a 1 vs 1 fiht. We are already witnessing some high profie class action lawsuit cases make their way through the courts, such as Google vs Vidal-Hall, and businesses should understand that the GDPR specifically enables such cases.
“There’s also a chance that individual countries may bring the deadline forward. France, for example, has published the new ‘Digital Republic Bill’, which was agreed by the National Assembly in January. If accepted by the Senate, it could come into effect by the end of this year. It contains many of the same clauses as GDPR, meaning companies operating within France will have to be compliant with the full regulation well before 2018. Any of the other 27 states could take similar action, so businesses may not have quite as much time as they think.
“Encryption may be the ‘get out of jail free’ card that businesses are looking for. GDPR calls out the technology as a way to mitigate data risks, so businesses should waste little time in investigating how it can be applied to their data.”
Nigel Hawthorn has produced an action guide for IT departments seeking to comply with GDPR. The European Union GDPR: An Action Guide for IT can be downloaded from
Louise Bulman, Vice President & General Manager EMEA, Vormetric:
“With the ever increasing list of high profie data breaches, coupled with multiple uneven local data protection regulations in Europe, it comes as positive news that a single EU-wide regulation, the GDPR, has fially been approved. Cyber criminals are not unique to any specifi country so EU collaboration on combatting the problem is essential.
“These new regulations are bound to have a signifiant impact. After all, potential fies of up to 4% of global turnover for non-compliance will hit many unsuspecting organisations hard. For this reason, businesses will need to start taking steps to ensure watertight compliance immediately, including investment in security technologies, such as transparent encryption with access control.
“Understandably, updating their IT infrastructure in this way will prove challenging for some and there are a number of things to consider fist, including financial and time constraints. With only two years to achieve compliance, businesses must ensure they have a thorough understanding of what the new laws mean to them, and what measures must be put in place.
“Time is ticking away and the sooner companies start implementing adequate security measures and data encryption, the sooner customers’ minds can be put at rest, knowing that the necessary precautions are being taken to keep their personal information out of the wrong hands.”