The General Data Protection Regulation (GDPR) data protection framework, ratified early this year, comes into force in May 2016. In summary, the objectives and principles of Directive 95/46/EC creates a stronger and more coherent data protection framework in the European Union and robust penalties for those organisations that fail to provide the suitable security controls and measures.
Wait, isn’t the UK leaving the EU?
The ICO, Commissioner Elizabeth Denham, has acknowledge in her blog of 31st October 2016 that the UK will implement GDPR stating, “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
In February this year a Netskope-commissioned YouGov research, found that only 21% of IT professionals in medium and large businesses felt sure they would comply with upcoming regulations, including GDPR. Computer Weekly reported (June 2016) alarm about roles and responsibilities about who will own and drive compliance within many companies. Early research by (ISC)2, “…indicates that 79% of Britain’s medium and large companies are unsure about their compliance, and many do not understand how the burden of compliance will be divided up”
Whilst the finer details have yet to emerge, the key elements and obligations are well published if perhaps not well known. We are now 6 months on from when GDPR was ratified by all 28 members of the EU Commission, and only 18 months before organisations MUST be fully compliant. This is the starting line, not the finishing line!
With a quarter of the 2-year preparation period already passed, alarm bells should be ringing in corporate board rooms. Will they wait for the first financial sanctions to be dished out before getting to grips with their obligations? They need to be aware that Article infringements carry the maximum administrative penalty of up to €20 million or 4% of global annual turnover, whichever is the higher.
Discussions with information security professionals and security vendors show a worrying lack of preparedness. That look of being ‘caught in the headlights’ by audience members in recent presentations shows very clearly that GDPR isn’t yet a topic of focus for CFO’s and Executive Boards.
As security breaches continue it’s clear that technology advances also create a perfect toolbox for cyber criminals to continue unimpeded. Unauthorised access creates a persistent problem for organisations attempting to protect corporate information. Within the security industry, both public and private, there is a genuine belief that it’s a case of ‘when not if’ an organisation will be breached, resulting in data loss from unauthorised access.
Whilst entities are targeted by cyber criminals - whether small-time crooks, organised gangs or state-sponsored teams - we acknowledge that more accidental releases of personal data are a further and growing cause for concern. Whether it’s because of a lack of awareness by staff, or a failure to invest in data protection controls, perhaps both, is a debatable point. Our view is that without appropriate measures the successful theft or compromise of personal data will continue unabated.
Our worries intensify as the continuing lack of momentum, perhaps indifference continues. We envisage a last gasp race to the starting line that will not be reached by all runners and riders: there are likely to be too few data protection and security specialists to assist organisations in becoming compliant. GDPR is coming, and so are significant financial sanctions!