Compliance with the New EU Data Protection Regulation

This summer sees the passing of the New Data Protection law, the first major in the EU since 1995. Affecting all EU nations and any business who holds information or trades with European businesses or individuals, the new legislation will affect almost every UK business.

Currently Data Protection legislation varies greatly from country to country with the likes of Germany and Switzerland possessing relatively strong protection laws and penalties surrounding the protection of sensitive and personal data, whilst other countries lag somewhat behind.

Up To £16million Fine

The new legislation looks to homogenise regulations across Europe whilst strengthening current legislation, ensuring that businesses take a greater responsibility for the protection of data and increasing the fines should they fail to do so.

The IT landscape has changed drastically since the last EU regulation surrounding data protection was passed into law in 1995. Most people now carry mobile devices to access their corporate email and data. People are working remotely from anywhere and at any time and the traditional IT security perimeter has been eroded. This world of mobility and access to important information, also comes at a time when cyber criminals are increasingly targeting companies and individuals with the aim of stealing data for financial gain. Cyber security breaches are occurring on a daily basis, yet many businesses do not possess adequate or even basic security to prevent sensitive information from being stolen. This is one of the core reasons for the new legislation being brought into effect – to ensure that companies take a greater responsibility for protecting their client’s data.

Main GDPR Points

• Applies to all organisations in the EU or those who handle data or sell to EU citizens
• Fines to businesses increased to £16M or 4% of global annual turnover
• Businesses must report a data breach within 72 hours after in occurs
• If you can show that personal data is encrypted then you do not need to notify data subjects of a breach
• The regulation will to come into effect from May 2018 and will affect all UK businesses

So what does the new EU GDPR state?

Article 30 states that “Companies shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate:
(a) The pseudonymisation and encryption of personal data; (b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; (c) The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; (d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”.

In simple terms, the article states that organisations must implement and maintain appropriate security measures and solutions to protect personal data. Encryption of data is specifically mentioned in this article as a method of achieving such protection. The ability to maintain that level of protection is also mentioned in the article and so possessing a strong key management solution is in place for any encryption solution is also imperative. The article also talks about business continuity and disaster recovery of systems containing sensitive data.

In Article 31, the new legislation states that organisations must notify the supervisory authority within 72 hours of a data breach. The company may also have to notify every individual affected by the breach. Such public notifications of a data breach can have serious PR and reputation damage to organisations. In recent years we have seen CEO’s of major businesses paraded on TV and in the newspapers, apologising for failing to take adequate steps to protect client’s data. These apologies are often coupled with regulatory fines, now increased in this legislation to £16 million, imposed on companies not taking sufficient action to protect data.

So how can you avoid declaring a data breach?

Article 32 States “where an organisation: has implemented appropriate technical and organisational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption;”

In lay man’s terms if, at the time of the loss, the organisational had implemented a solution that meant that the data was protected in such a way as to be unintelligible (unreadable and useless to third party), and the organisation can prove this to the supervisory body, then the organisation is not required to disclose the breach. Such measures also mean the likelihood of a fine from the supervisory body is greatly reduced or completely mitigated.

However, if an organisation chooses not to make investments in technology that protects data in this way then provisions are made in the legislation to fine companies up to £16million or 4% of global turnover, whichever is higher.

SUMMARY

  • The new EU legislation affects all UK businesses
  • Organisations can be fined £16million or 4% of global turn over if they fail to take adequate technical and organisational measures to protect data
  • Organisations must inform the supervisory body within 72 hours of a breach
  • Companies must inform its customers of a data breach as soon as possible
  • If it can be proved data was encrypted then organisations do not need to notify of a breach

WHAT CAN YOU DO?

  • Obtain a GDPR readiness assessment with Metaphor IT
  • Meet with Metaphor IT to discuss recommendations from the assessment
  • Implement recommendations made from this assessment
  • Ensure that adequate technical and organisational measures are put in place to protect data

Contact us if you’d like to discuss the General Data Protection Regulation more before completing the assessment. We can go into more detail about the affects on UK businesses as well as answer any questions you have.