The General Data Protection Regulation from the EU has been the focus of many discussions recently. The aim of GDPR is to strengthen data protection for the collection, processing, storage, retention and deletion. It is the life-cycle of the data.within the EU.
It’s an important issue when you consider the number of businesses which hold personal data.
All businesses that store and process customer data must now have robust processes and procedures in place to protect the data. For years, businesses have had a legal responsibility for protecting the data, but never more so than now. They must report any breaches of the data and if they don’t they could be fined up to 4% of their global turnover. This is to a maximum 20m Euros per breach.
If you don’t think it will affect you, it might be worth telling you that a study by IBM showed that a typical data breach costs a company around £5m per breach. This includes not only the fine, but the impact of the breach, loss of business, costs of remediation and designing and building new processes to improve protection.
It isn’t a cheap option to implement the new rules, but it’s a necessity and will need to cover the following-
- Designing processes to report, investigate and remediate the breach
- Arranging insurance in the event of a breach
- Designing processes and implementing systems to protect data
- Training of staff to follow procedures and recognise a breach
The UK government has already enacted the legislation and as it was a EU Regulation it became part of UK Law on the 24th May 2016 and organisations have a grace period of 2 years to get ready by the 25th of May 2018 at which time all business will be subject to the requirements of GPDR. The government has said that Brexit will not stop the implementation taking place.
A number of businesses are trying to cover this with cyber-insurance but it’s not always cost-effective as the amounts to put adequate cover in place are very high.
The Information Commissioners Office that will oversee the working of GDPR will need to expand its workforce to cope. This need to be a massive expansion considering the work needed. There is also the question of whether such people exist for such a niche area.
Business are likely to outsource for help as there will be plenty of resources needed to comply and keep any breaches under control.
Businesses will need to-
- Put in place a plan managed by the head of the business
- Upgrade to plug gaps and improve systems
- Put in place an incident reporting process
- Consider cyber-insurance
- Prepare stakeholders for the new legislation
- Get buy in at the highest levels of the organization
- Carry out a gap analysis to see what’s in place and where the holes are
Businesses are already busy with changes in legislation; banks are dealing with PSD2, SEPA and the new Payments Systems Regulator requirements amongst others. Legislation is the biggest causes of business spend in recent years with little or no resources available and pressure to provide stakeholder returns the challenge to business is very strong.
If your business doesn’t know what GDPR is and how it is affected by it, you’re already too late and in danger.