Next Thursday 25th May will mark exactly a year until the EU General Data Protection Regulation (EU GDPR) comes into force.
- What types of personal data will the European General Data Protection Regulation (EU GDPR) law protect?
The EU GDPR covers any type of personally identifiable information (PII), such as banking information, health records and government identity records. But it also includes any data that can be tied back to a data subject such as geo-location data from a cell phone, home address or data from a medical device.
- The GDPR’s notification requirements are modeled loosely after US breach notification laws – what are the significant differences between each?
The biggest difference is the shortened 72-hour time frame for breach notification. But as we found in our recent “Data Protection, Prioritizing Regulations & Guidelines” study, this is going to be a major challenge for most organizations. Our study found that 16 percent of businesses take between one and six months to detect a security threat and 5 percent only detect a threat when notified by external parties. If it takes organizations such a long period of time to detect threats, it’s not likely they’ll be able to meet the EU GDPR’s 72 hour breach notification requirement. On top of that, the breach of any data, not just financial is enough to incur the notification requirements.
- To what extent do you think organizations in the UK are ready for GDPR?
Most organizations, no matter what country they are located in, are aware of the EU GDPR. Everyone is talking about the law, its requirements, its hefty fines and the implications for non-compliance. But talking about it isn’t the same thing as being prepared for it. And based on our own surveys and anecdotal evidence, I’d say that less than 20 percent of UK companies are truly prepared to comply with EU GDPR. These are businesses that already handle data of German and French citizens, which both have strict data protection laws already.
- What are the consequences of not complying with GDPR when it comes into force?
On day one of when the law goes into effect (May 25, 2018), a company can be held liable and subject to the fines, which are not specifically enforced for breaches, but for being out of compliance with the various requirements, including failure to appoint a DPO, failure to adhere to the ‘right to be forgotten,’ failure to notify the Supervisory Authorities of a data breach within 72 hours, to name a few.
- Are businesses in the UK wrong to think they won’t have to comply with GDPR because of Brexit?
A lot of UK businesses have been using Brexit as an excuse to do nothing. I would say Brexit has made some UK organizations slower to act – and implement the necessary people, processes and technology to protect their data across every stage of its lifecycle – and that could cause them serious problems down the line. But that’s a big mistake – we know that the UK has confirmed it will adopt the EU GDPR as its data protection standard, even after Brexit has been completed.
- Just how much of an effort – in both time and resources – will large organizations have to invest to comply with GDPR?
Large organizations will have to invest millions of dollars to ensure compliance with the EU GDPR. The investment will include recruiting, hiring and training personnel, starting with the appointment of a Data Protection Officer, as well as spending time, resources and money on implementing new technologies and processes, new End User License Agreements that state the purpose for data collection, new security practices around data protection and the proper management of data throughout its lifecycle. There won’t be a magic bullet to ensure compliance – companies will have to put in the work and work at it on an ongoing basis.
- Will complying with GDPR make businesses more secure?
There’s no question in my mind that complying with EU GDPR will make businesses more secure. The core of all security is data protection. Doing a better of job protecting data throughout its lifecycle will enhance any organization’s overall security posture. And the EU GDPR’s requirements cover a multitude of areas, rather than just one single area, making organizations that comply that much stronger and less vulnerable to security threats, data loss, data breaches, and regulatory fines.
- How will GDPR influence the way organizations approach cyber security?
I believe organizations will take an approach that is more data centric and less about putting out fires on a daily basis. In other words, organizations will move away from their traditionally ‘reactive’ mentality, where it’s about fixing the problem after it has already occurred. EU GDPR will make organizations raise the bar on their own security practices, make them more increase their visibility and monitoring of data management practices, and ultimately, strengthen their overall security posture.
- How do you think GDPR will impact the cybersecurity landscape?
EU GDPR is going to have a significant impact on the cybersecurity landscape. Spending will increase dramatically as budgets are allocated to compliance. Network, endpoint and data security measures will be deployed where they have always been needed, but they’ll also be deployed where they’ve been lacking because a financial calculation based on risk alone did not justify it. One such area will be data erasure – the permanent and verifiable removal of data when the EU GDPR’s “right to be forgotten’ requirement demands it. In addition, there will be an impact on the managed security services industry as they roll out services around data security – and data erasure, in particular – and GDPR compliance.
- What kinds of fines and penalties are enforced for those US enterprises that don’t comply with these regulations? Do these fines and penalties change depending on location?
U.S. businesses will be negatively affected if they ignore the consent, privacy and data minimization elements of the EU GDPR. American companies are subject to the same fines as EU-based entities: 4% of their annual turnover or €20 million, whichever is greater. Obviously, jurisdiction matters and organizations with no EU presence are going to be much harder to prosecute.
Organizations could choose to treat Americans’ and Europeans’ data in different ways, but that would mean purchasing specific storage systems for EU customers and putting different policies and enforcement structures in place to achieve two separate compliance goals. American companies, and all companies for that matter, should take the EU GDPR seriously and start the process as soon as possible to implement the necessary technologies, processes and people (i.e. the Data Protection Officer, as required by the law) to ensure they are ready to comply with the law once it goes into effect on May 25, 2018.