General Data Protection Regulations: Effects on EU businesses

May 16, 2017
Vote on Hacker News
Photo credit: Liam Timmiss/@LiamTim

On May 3, Dublin hosted the Data Sec 2017 conference against the backdrop of the EU’s upcoming General Data Protection Regulation (GPDR). The conference highlighted concerns that Irish businesses won’t be prepared prior to the transition. After all, the GDPR does not merely require organisations to avoid doing harm to individuals in terms of the personal data they collect and process; it also requires proactive action on the part of organisations, particularly in terms of accountability and transparency. In other words, companies that slack on data protection are getting a kick up the backside.

The GDPR regulations will come into effect in 2018 and will force companies to provide greater insight into what data they collect and how that data is used in the event of a breach. The coming of the GDPR has many businesses, and not just in Ireland, concerned that they will be unable to meet the requirements of the coming legislation. According to a Veritas technologies survey released last month, a large majority of global companies are worried that failure to comply with GDPR will hurt their business (or put them out of business entirely). Companies that fall foul of the regulations leave themselves open to face fines of up to 4% of their global revenue with a limit of €20 million. Of the survey respondents (900 US, European and American executives) 18 percent said the penalties for non-compliance could put them out of business. The GDPR raises a lot of questions about how companies use data, and how they safeguard it in times of need.

In practice, staff on the ground in European companies will need to have good reasons for collecting data alongside a designated data protection officer to supervise data collection. In other words, the GDPR will drag companies by the scruff of the neck to compile well-defined cybersecurity procedures. On many levels this will be a great improvement. For individuals with data stored within these companies the news is refreshing, as cavalier attitudes towards user data breaches will not be tolerated.

However, for busy departments, the problem of having to identify and locate relevant data breaches within 30 days is a living nightmare. Many companies don’t have a clue how to locate a considerable amount of data in their systems, and this will be a major problem with implementing the GDPR. Companies will need to learn to navigate their systems in new ways. Indeed, many companies don’t have the facility to be able to ‘fetch’ data easily. In addition, it’s worth noting that both data holders and processors will be subject to this legislation. This means that cloud service providers won’t be able to escape charges if they don’t get to work.

Preparing for the GDPR

Now that we’ve established GDPR has the potential to make handling customer data an absolute nightmare, what can businesses do to get a head start? Well, for the savvy company, the GDPR is an opportunity to showcase you as a company ahead of the cybersecurity game. Businesses across Europe have the opportunity to showcase their virtues as infallible bastions of customer data. Rather than worrying about being tarnished for not keeping customer data safe, it makes more sense to keep data safe in the first place! To do that, its vital to have a well-defined cybersecurity policy.

So how do businesses achieve this? The answers is to get to work on actively managing your data security before you even think about your data strategy itself. Implement password requirements for your systems and ensure all your employees are informed about the guidelines. Next, keep your software updated. Its no good having a firewall you’ve updated in 2004 and expecting it to keep you protected. Set regular automatic updates and encourage your employees to stay vigilant. That will make you well placed to deal with any phishing scams. Just remember: WannaCry has wreaked havoc across the global Internet exactly because people don’t know what not to click on.

It’s a good idea to implement a secure file transfer system to keep customer details, such as credit card information, well protected. A secure file transfer system can encrypt the data so that you can restrict access. Ultimately, If you aren’t making data security an active pursuit, then you’re leaving yourself open to problems. The GDPR may up your obligations as an organization, but leaving the door open to data theft is hardly desirable! Cut the excuses and get involved in bolstering your systems and your business processes against cyber theft, unless you want to acquire a cavalier reputation towards customer privacy.