There’s a major change to the way businesses carry out their data responsibilities coming. At the Vendorcom Conference this week many of the speakers and discussions focused on the way that GDPR, The General Data Protection Regulation from the EU intends to strengthen data protection for the collection, processing, storage, retention and deletion. It is the lifecycle of the data.within the EU.
Think of the number of businesses that hold individual data; accountants, doctors, solicitors, supermarkets, retailers, the government, local authorities, the Police, Membership-related businesses, businesses that take bank details for direct debits, schools and you see the size of the problem.
The new legislation forces all businesses that store and process customer data to have robust processes and procedures in place to protect the data. Businesses have a legal responsibility for protecting the data and MUST report any breaches of the data and if they don’t they could be fined up to 4% of their global turnover to a maximum 20m Euros per breach.
A recent study by IBM showed that a typical data breach costs a company around £5m per breach taking into account, the impact of the breach, loss of business, costs of remediation and designing and building new processes to improve protection.
Implementing the new rules properly is a costly exercise and the main elements of the data protection plan will need to cover:
- Designing processes and implementing systems to protect data
- Training of staff to follow procedures and recognize a breach
- Designing processes to report, investigate and remediate the breach
- Arranging insurance in the event of a breach
- For many organizations employing a Data Protection Officer (DPO)
The UK government has already enacted the legislation and as it was a EU Regulation it became part of UK Law on the 24th May 2016 and organisations have a grace period of 2 years to get ready by the 25th of May 2018 at which time all business will be subject to the requirements of GPDR. The government has said that Brexit will not stop the implementation taking place.
The new legislation has triggered an interest in cyber-insurance, but the amounts involved will make it difficult for any business to put in place adequate cover.
The ICO, Information Commissioners Office that will oversee the working of GDPR will need to expand its workforce considerably to be able to cope and the big question is where are these people coming from? Added to the requirement for the appointment of a Data Protection Officer the requirements for security related staff will be enormous; the problem is they don’t exist and this is such a specialist area. Brendan Byrne an information security consultant and GDPR specialist said that as there is little awareness of the change, universities and schools are not addressing the subject therefore staffing will be an issue.
Richard Jones of Foregenix says that security breaches are inevitability, but the trick is to know about them that will count in any investigation by the ICO. Compliance is the big issue when coming to valuing the costs of a breach to an organization. He foresees a big rise in outsourcing as businesses realize the size of the problem and the workload and expertise needed to protect data. Richard offered a checklist that every business needs to follow:
- Prepare stakeholders for the new legislation
- Get buy in at the highest levels of the organization
- Carry out a gap analysis to see what’s in place and where the holes are
- Put in place a plan managed by the head of the business
- Upgrade to plug gaps and improve systems
- Put in place an incident reporting process
- Consider cyber-insurance
Businesses are already busy with changes in legislation; banks are dealing with PSD2, SEPA and the new Payments Systems Regulator requirements amongst others. Legislation is the biggest causes of business spend in recent years with little or no resources available and pressure to provide stakeholder returns the challenge to business is very strong.
If your business doesn’t know what GDPR is and how it is affected by it, you’re already too late and in danger.
For more information about GPDR and other financial services issues, engage with Vendorcom.