From May 2018, companies across Europe will be facing a strict new regime for data protection and privacy, as the new General Data Protection Regulations (GDPR) come into force. Organisations in the private and public sector are scrambling to be ready for this new legislation and the deep changes it will mean for data protection.
The GDPR has been created as a far-reaching piece of legislation, which will harmonise data protection across the 28 member states of the European Union, and while GCC companies and governments might not expect that European legislation will have much impact on them, the GDPR is likely to have both direct and indirect consequences for organisations worldwide.
Giampiero Nanni, Government Affairs, EMEA Symantec, said that the GDPR is not just a piece of security legislation, but rather an attempt to create and protect fundamental principles of personal data privacy rights.
"The law has been done for the benefit of the individual, to protect their privacy," he explained. "It is not a legislation about security, you need security because you can't have privacy without security, but it is not about security.
"It is therefore, a legislation based on highly aspirational and ethical objectives, and aimed at the respect for individuals and their rights. I don't think anyone - except for die-hard sceptics - could argue about the need and validity of these concepts, in a modern, developed, democratic and aspirational society," he added.
The GDPR is a complex law, Nanni said, and while there are already reports that a large percentage of companies will not be ready for the 25th May 2018 deadline, organisations need to take steps to ensure that they understand the legislation and are ready for it.
Because GDPR covers all personal data, it will cut across lines of business in companies, and will require not just data protection policies, but also new mechanisms for data discovery, reporting of breaches, interaction with the public and so on. Individuals will have the right to ask any company to reveal what data it holds on them, within 30 days, and to change or delete that data if the user so wishes. As many as 28,000 data protection officer jobs could be created to meet the demands of GDPR, according to some estimates.
The penalties for failing to comply with GDPR are strict - companies can be fined up to 4% of their global annual turnover, or 20m euros, whichever is greater if they suffer a data breach that results in personal data being compromised. Fines will be mitigated depending on the sensitivity of the data, and the steps taken to protect data and uphold privacy standards.
Fines are also not the only penalty, with companies that breach personal data being liable for compensation to users. Nanni believes that this will lead to individuals seeking compensation claims as awareness among the public grows.
"Ultimately, customers want to have privacy. They know their rights, they are more conscious of what can happen, they will want to exercise those rights," he said.
Organisations will also now face tough time limits - as little as 72 hours - to assess any security breaches they might have and to alert the authorities to activity that could breach personal privacy, a far stricter requirement than existing laws.
On the whole, Nanni said that the GDPR will force a complete change among organisations in how they treat personal data.
"The legislation will completely change the way companies do business. It applies to public sector agencies in the 28 member states. It applies to companies that do business in EU member states, even if they are [based elsewhere] airlines, tourism, healthcare, anything that targets people in the EU will be impacted."
Nanni pointed out that any organisation which does business with EU individuals will need to establish representation in the EU for GDPR. In terms of enforcement, while it is unlikely that companies will be inspected for compliance from day one, he expects that there will likely be cases against large organisations that fail to comply, to make an example of them.
Although there is obviously a need for time, money and resources to be dedicated to GDPR compliance, organisations should see the legislation as a chance to take a new stance on privacy, improve their cybersecurity readiness, and to gain ‘positive collateral' from the changes
"The GDPR presents some formidable opportunities to turn a compliance and legal need into tangible business advantage," Nanni said. "If you think about the positives, the collateral benefits of GDPR, in the end, companies will have a better security posture, because they will have to do things they haven't done before. For example - if there is a data breach, the first thing that the data protection authority of the country will do is ask to see what the company has done to minimise the risk. It will be a mitigating factor, so companies will take measures that they probably wouldn't take so far."
In terms of security, organisations will need to put in place more solutions such as data loss protection, data encryption and so on, to do more to protect their data. They will also need to give proper attention to their readiness to address a breach, in terms of incident planning, and also better understanding of the risk attached to different types of data. Organisations will need to better understand the data they hold across different organisational silos. They will also need to be able to identify an individual's data and report back to them in 30 days if requested, creating a much greater accountability for data than before. The short window for report of breaches will necessitate companies having a proper assessment of their data and the risk beforehand.
This improved security posture can have positive effects in helping companies to protect other data, such as corporate intellectual property. Better security could also enable more effective, more affordable cybersecurity insurance for customers too.
GDPR will also have a potential for to be an advantage for brand and reputation as well, Nanni said. The Data Protection Authorities and the relevant working part of the EU are working on establishing the standards for companies to show they are compliant, and this is likely to be a good mark of quality for partners and customers to know that a company is respecting data privacy.
The importance of privacy should not be underestimated, he added, with a 2015 study showing that respect for data protection was the most important thing to consumers when looking to establish a new relationship with a company online, ahead of quality of product or customer service which businesses believed to be most important.
The benefits to reputation are likely to be the most compelling advantage for organisations outside the EU to look closely at GDPR, Nanni added
"Cybersecurity is already a differentiator, and privacy will be a differentiator. Compliance with the regulation cannot be imposed to other states, That said though, I still believe that a government agency, will never want to find themselves in a situation where they appear vulnerable - in the eyes of the EU public and tourists - to cyber-attacks. So even if they don't go through the actual full GDPR compliance implementation, they will have an interested in running a safe shop," he said.