However, from next year, companies need to comply with a completely new framework for data protection, when the European Union’s new General Data Protection Regulation (GDPR) comes into force on 25 May 2018.
The GDPR replaces the Data Protection Directive 95/46/EC and is aimed at supporting the single market, equalising data privacy laws across the EU, and protecting European citizens' data privacy. It is also designed to improve the way businesses approach data privacy for EU citizens anywhere in the world. In other words, companies have to comply, both in the run-up to and after Brexit.
So what exactly will change and how can firms prepare for GDPR?
The biggest change and challenge will be “a baseline requirement for data governance,” Florian Douetteau, the head of New York-based data science firm Dataiku, tells Professional Engineering. “Businesses will have to start thinking about where data is stored, who has access, and how those people access it. This is quite a big change – most companies have been collecting data for some time and have stored data on various systems and in various places without much process or policy for managing its use.”
For engineering specifically, it’s crucial to remember that one very important new component of GDPR is the concept of privacy by design, he adds. It means that any service or process using data has to take data protection into account from the very beginning. “The business has to be able to show that when designing new systems, security is a priority and compliance is closely monitored,” says Douetteau. “In the engineering sector, this is particularly relevant when talking about data from Internet of Things connected devices. With more and more new IoT use cases coming up, the GDPR privacy by design provision will start to come into play quickly.”
There will also be the changes that give data subjects not only the right to be forgotten, but also to access their data and know what it’s being used for. Besides knowing what data is stored where and being able to retrieve it, businesses will need to have processes in place to deal with these data subject requests in a timely fashion, adds Douetteau.
Ready or not
With only a few months to go, not everyone is ready for the upcoming changes, though. According to a survey by Ipswitch, a software developer for businesses, many companies do not have a Data Protection Officer in place, or don’t even know they need one – but they really do. A recent report by consulting firm Gartner predicts that even by the end of next year, more than half of firms affected by the GDPR will not be fully compliant with its requirements.
New regulations are ever more important now in light of the recent WannaCry ransomware attack, which crippled multiple organisations around the world. Businesses must reassess their security strategies as soon as they can, including endpoint security, to be compliant and avoid hefty fines when GDPR kicks in, says Richard Henderson, global security strategist at Absolute.
“With stricter notification windows and greater levels of data accountability, organisations must have a complete understanding of how they collect data, where it’s stored and how it’s managed in order to remain compliant,” he says. “The stakes are without doubt getting higher – you need only to look at the recent WannaCry attack, where lives and not just the financial and reputational state of a company is at risk, to recognise the need for a more coordinated management of data.” Right now, companies that breach data protection rules face relatively small fines. “Take the Talk Talk breach, for example,” says Henderson. “The company was fined just £400,000. However, under EU GDPR this could be nearly 200 times this amount.”
Douetteau agrees, stressing that the penalties for non-compliance of GDPR are massive – up to 4% of annual global turnover or €20 million, whichever is greater. However, he says, when one considers the cost of making the changes in order to comply, big businesses are likely to have a harder time, because they are generally less agile and have much more complex data systems and workflows.
Beyond Europe
GDPR forces another significant change: firms will have to have complete visibility into their endpoint assets at all times, to identify suspicious activity and take action, he says. Companies need to maintain a constant connection, and have the ability to remotely control data stored on endpoint devices to stop them becoming the gateway to a damaging breach, and subsequently protecting themselves from the repercussions of lax security.”
It's not just Europe that will be affected. Despite originating in the EU, the new rules will affect many data controllers and processors outside Europe, says Bart Willemsen, research director at Gartner. “Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data,” he says.
So how should you prepare for the upcoming regulations?
The first thing, says Douetteau, is to start developing a strategy that revolves around data projects. Contained data projects make long-term GDPR compliance manageable for several reasons:
- In terms of data protection, they keep access clearly controlled with only team members working on a particular project able to see relevant data.
- They help manage data subject requests. If you can easily see what data is contained in a project and what transformations are being done on that data, these requests will be infinitely easier to manage.
- Finally, with the requirement of consent and purpose of data collection, leveraging data projects allows for a white-box approach and ensures compliance – so that it’s clear what data is being used where and for what purpose.
There is another important element when it comes to preparing for GDPR, and that’s data lineage, says Douetteau. “Pieces of data are copied many times over, so being able to trace a particular piece of data through its lifecycle is critical, especially when it comes to compliance with data subject requests – particularly the right to be forgotten,” he says. “Businesses will have to start thinking more end-to-end and putting systems in place that show, visually, how data is being transformed from ingestion to final data product. This represents a major shift because teams that normally were working completely separately will have to start working together, collaborating in and working from the same central place.”
Gartner also stresses that it’s imperative to track all cross-border data flows. Data transfers to any of the 28 EU member states are still allowed, as well as to Norway, Liechtenstein and Iceland – but Brexit may change things. Transfers to the 11 non-EU countries which the European Commission considers having an "adequate" level of protection (Andorra, Argentina, Canada (for commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay) are also possible.
But outside of these areas the situation changes – and companies will have to use safeguards such as Binding Corporate Rules (BCRs) and standard contractual clauses. Outside of the EU, businesses processing personal data on EU residents will have to choose the correct approach to ensure compliance with GDPR, argues Gartner.
Being cyber-aware
No matter how well prepared for a potential cyber-attack you are, there is still a chance that hackers will sneak their way in. “Companies are no longer judged when this happens; instead they are judged on what they know about the breach and how fast they respond,” says Ross Brewer, vice president of LogRhythm, a security intelligence and analytics firm. “This will be exacerbated even more with the introduction of the short notification window. With only 72 hours to notify authorities and, in some cases those affected, companies will be under greater amounts of pressure to have full insight into the scope and scale of an attack as soon as it’s been identified.”
It will be essential for organisations to have an accurate idea of the ‘who’, ‘what’, ‘how’ and ‘how big’ within those three days, he says. Simply deploying firewalls or anti-virus software won’t be enough – businesses will need a more coordinated and efficient approach to threat detection. “Having an end-to-end threat lifecycle management processes that gives businesses the insight and full facts of a compromise from the offset will be vital, and businesses need to make sure they are adapting their strategies now so that they are fully prepared this time next year,” says Brewer.