James Walker, security expert at Trend Micro, looks at how the EU is set to change the regulations governing what businesses can do with their data.
Events over the past couple of years, in particular the Snowden revelations, have had a huge influence on how we think about privacy and our personal data. In line with this, the European Union is set to dramatically change the regulations which govern what businesses can do with our data and what rights we have to protect it.
There’s no question this regulation will have an impact on almost every business in the UK, but recently research revealed that only half of UK organisations were even aware it was happening (this compared with 87 per cent awareness in Germany).
In March the European Parliament voted overwhelmingly in favour of introducing the EU General Data Protection Regulation. While there are a number of legislative rivers still to be navigated before it becomes law, we can now say with some certainty that it’s coming, and it’s coming soon. It will cover any company that processes data belonging to a European citizen, regardless of where it’s based. No organisation is exempt, though smaller companies (less than 250 employees) will not necessarily have to comply with some of the tougher requirements, like appointing a data officer.
With all that in mind, I wanted to pull together five steps that every business should be doing right now to ensure that the transition to compliancy is as pain-free as possible. There are many places to find out further information on the regulations, and I advise you to do as much background reading as you can. Hopefully these thoughts are helpful starting point:
1) Where is it
Hopefully this won’t be too hard to answer, but then again you might be surprised. And it’s important to remember that this is not only digital data. Any data, be it customer, employee or partner data that can be personally identifiable will be covered – regardless of whether it’s stored in a manila envelope or massive server. Find out where documents are stored in the company. Is the storage manageable, secure, insured, easily accessible and well understood?
2) Who can access it
Another set of vital questions: Who’s accessing this data? How are they accessing it and should they be accessing it at all? Are they educated as to the dangers of misusing data? This is also a good time to introduce the concept of a data officer.
Most companies with over 250 employees will be obliged to appoint a data officer who will be in charge of managing all of these issues and ensuring compliance. However, regardless of whether it’s their sole job or not, every organisation should have someone who is responsible for its data policies. Traditionally this has been an IT team function, but surprisingly that’s probably no longer the case. The person in this position should have a good basic technical grounding, but what’s even more important is that they are educated in the legal, procedural and financial implications of managing data.
3) Chain reaction
It’s not nice to think about, but your organisation should decide ahead of time exactly how it will react if there is a breach. Who is responsible for contacting the authorities, and which bodies need to be informed? Do we even know how to contact the Information Commissioners Office? If the breach is significant enough, who within the organisation will be dealing with press enquiries? How will the news be communicated with customers? And, of course, what is being done to repair the breach and protect the company against further breaches? It’s never going to happen to you until it does. Don’t be the guys that weren’t prepared.
4) Protection
Ultimately with the best intentions in the world, mistakes get made. There are also plenty of bad guys out there who would more than happily steal your valuable data. So you’ll need to look at the protection technology available, such as:
· Data leak protection solutions that can identify key words and regular expressions like Credit card number, National Insurance numbers etc. in sensitive documents to stop them being sent out
· Encryption technologies so if data is sent out it is still protected
· Advanced threat technology to stop or identify quickly when your network has been breached and stop them thieves stealing you sensitive data
It’s also worth looking at some sort of liability insurance to help cover you against damages that may occur.
5) Education
Sanctions for breaching the rules are significant: the fines could go up to 5 per cent of a non-compliant business’s global turnover, or €100 million, whichever is greater. With those kind of numbers in play, it’s crucial that the whole organisation is aware of the challenges of data privacy. It’s now a board issue. This isn’t some boring techy issue like what mouse shall we get. The whole suite of senior decision makers need to understand the importance of the issue and empower staff to act on it. This might be the toughest task of all.
Honestly though, most of this is all just common sense. If you ask yourself one simple question you shouldn’t go too far wrong: if this was my data would I be happy with how it’s being handled.
There is also a fine line to be tiptoed along. Information is vital to everything we do – locking it away and applying overly strict rules on how to access it will stifle your business. However, I believe that there is a middle ground where we can take advantage of the significant opportunities presented by the big data movement, while at the same time respecting and protecting all of our personal data.