22
PRINT.IT
01732 759725
COMPLIANCE
essential need for organisations to
prepare a breach noti cation plan
in the event that something does
actually go wrong. If you’re already
clear on what type of personal data
you manage (categorisation) and
where it is (data ows), then this
process will be somewhat easier.
However, it’s worth being clear on
who will co-ordinate the customer
communication, the media response
and the remedial activity – and make
sure you rehearse this so you are
practiced in the actual event; look on
it as a data breach fire drill.
The benchmark for what
organisations should do when they
suffer a data loss or breach is set
high by consumers; 92% of those
surveyed expect to be noti ed and
told exactly what information has
been lost or stolen. Many consumers
would also expect a public apology, as
well as compensation (both 57%).
If consumers are demanding to
know what personal information
has been compromised in a data
breach, organisations will need to
classify their data assets. Worryingly,
only 30.7% have done this for all
their data types and one in ve are
resistant to the idea, with 11.4%
saying they wouldn’t do it and 9.7%
saying they would only do it if required
to do so by law.
One of the best forms of data
protection is to ensure all parts of
the organisation involved in using
personal data are included equally
in data governance processes. This
ensures all functions operate to a
common standard, which is vital in
the event of a data breach. It is also
important for organisations to try and
spot trends in data problems that
occur rather than recording issues
separately. Otherwise there is a risk
that each incident will be seen as
unique, rather than having common
root causes that can be rectified to
solve the entire issue.
Finally, it is vital that organisations
implement an engaging staff training
programme to ensure all employees
are aware of the valuable asset they
are dealing with and understand the
need to manage data securely. Data
security is an important component
of building consumer trust and
con dence. All organisations should
respect the personal data they have
in their possession and treat it like
their very own – otherwise the new
‘privacy aware’ consumer may decide
to take it elsewhere…
...continued
Industry Reaction
Pat Clawson,
CEO
, Blancco
Technology Group:
“The countdown to 25
May 2018 has begun and
many organisations have
a considerable amount of
work ahead of them to align
their IT governance and data
protection programs with both regulatory and
customer demands. Negotiations stretched
out over the last four years but now that
the EU GDPR is a reality there will be many
having to scramble to get their act together
and prepare for these stringent new data
protection rules.
“My advice to them would be to start
planning now and to treat the Regulation
as a starting point rather than the finishing
post. Going the extra mile to show you value
your customers’ data simply makes good
business sense. But when that trust is
eroded, we’re talking about more than just
immediate losses; we’re talking about a long-
term impact on sales, reputational damage
that can be really tough to recapture and
even employee turnover.
“The legislation affects every organisation
that offers services inside the EU and with
potential fines of up to 4% of global turnover
this may well be the shot in the arm we need
to firmly establish the protection of corporate
and customer data as an issue that is
regularly evaluated in the boardroom.”
To help businesses prepare for the EU GDPR,
Blancco Technology Group has created a 12
step action plan for compliance, which can
be downloaded from
.
Nigel Hawthorn,
European
spokesperson,
Skyhigh
Networks:
“While the fines are highly
significant, there are other
aspects of the ruling that
businesses must take
notice of, for instance the
potential for collective redress. If businesses
are challenged by data subjects over the
misuse of information, it may no longer be
a 1 vs 1 fight. We are already witnessing
some high profile class action lawsuit cases
make their way through the courts, such
as Google vs Vidal-Hall, and businesses
should understand that the GDPR specifically
enables such cases.
“There’s also a chance that individual
countries may bring the deadline forward.
France, for example, has published the new
‘Digital Republic Bill’, which was agreed by
the National Assembly in January. If accepted
by the Senate, it could come into effect by
the end of this year. It contains many of the
same clauses as GDPR, meaning companies
operating within France will have to be
compliant with the full regulation well before
2018. Any of the other 27 states could take
similar action, so businesses may not have
quite as much time as they think.
“Encryption may be the ‘get out of jail
free’ card that businesses are looking for.
GDPR calls out the technology as a way to
mitigate data risks, so businesses should
waste little time in investigating how it can
be applied to their data.”
Nigel Hawthorn has produced an action
guide for IT departments seeking to comply
with GDPR.
The European Union GDPR: An
Action Guide for IT
can be downloaded from
.
Louise Bulman,
Vice
President & General Manager
EMEA,
Vormetric
:
“With the ever increasing
list of high profile data
breaches, coupled with
multiple uneven local data
protection regulations in
Europe, it comes as positive news that a
single EU-wide regulation, the GDPR, has
finally been approved. Cyber criminals are
not unique to any specific country so EU
collaboration on combatting the problem is
essential.
“These new regulations are bound
to have a significant impact. After all,
potential fines of up to 4% of global
turnover for non-compliance will hit many
unsuspecting organisations hard. For
this reason, businesses will need to
start taking steps to ensure watertight
compliance immediately, including
investment in security technologies, such
as transparent encryption with access
control.
“Understandably, updating their IT
infrastructure in this way will prove
challenging for some and there are a number
of things to consider first, including financial
and time constraints. With only two years
to achieve compliance, businesses must
ensure they have a thorough understanding
of what the new laws mean to them, and
what measures must be put in place.
“Time is ticking away and the sooner
companies start implementing adequate
security measures and data encryption, the
sooner customers’ minds can be put at rest,
knowing that the necessary precautions
are being taken to keep their personal
information out of the wrong hands.”
