More and more businesses are paying attention to the responsible use of data. But few are aware that the regulatory landscape is on the brink of substantial change
In the last few years, consumer anxieties about data have reached something of a fever pitch. Not only has the mass surveillance of the NSA and GCHQ raised questions about the amount of data consumers give away but reports of high-profile data breaches – such as the hyperbolic claims earlier this month that 1.2 billion account details had been half-inched – seem to be coming in thick and fast. In light of this, it’s becoming clear our attitudes towards data security need to change and, in recognition of this concern, the EU has formulated its newest piece of legislature: the General Data Protection Regulation.
Certainly it is time that the regulations were reformed. The previous EU Data Protection Directive was adopted in 1995, a period when it could have scarcely been anticipated how fiercely contested a battleground consumer data would become. Moreover, as a directive, it was non-binding, meaning that member states could act on their obligations in wildly different ways. The UK’s Data Protection Act 1998 was just one of many national laws across the continent, making a unified approach difficult for regulators and businesses alike. “Trying to balance local, federal and EU laws can be challenging,” says Mark Nunnikhoven, vice president of cloud and emerging technologies at Trend Micro, the security software provider. “Having one law for the EU simplifies the situation for organisations who have to adhere to that legislation.”
But the new regulation isn’t just about simplifying things for businesses. “It’s what customers are demanding,” says Nunnikhoven. He makes reference to a recent survey Trend Micro conducted of 850 senior IT decision-makers across the continent that found 37% had seen demands from customers about more transparency in the manner in which their data is handled. With increasing attention being paid to what firms are doing with consumer data, it’s hardly surprising that customers are holding the businesses they interact with to a higher level of scrutiny. “Privacy is important to the citizens in the EU,” Nunnikhoven continues. “This legislation reflects that.”
Despite there being some very pressing reasons for reforming the current regulations, you would be forgiven for being entirely unaware that changes are in the offing. “There is an alarming lack of understanding about the new regulations,” Nunnikhoven says. Trend Micro’s research into the matter revealed that, while 65% of senior IT figures in France, 73% in Poland and 87% in Germany knew changes were coming, startlingly few British IT professionals had any idea. “Only half of the respondents in the UK were even aware of the new regulations.”
The General Data Protection Regulation certainly represents some rather stark changes. Not only will it unify law across the EU in a manner that’s legally binding but it brings in some striking changes to the way Europe approaches consumer data. First is the much-discussed “right to be forgotten” legislation. “This new right means that a citizen can request their data to be deleted unless there is a legitimate reason for preserving it,” Nunnikhoven explains. “There are going to be some hiccups in the implementation – which we’re already seeing – but overall this is a win for the citizens of the EU.”
More broadly, the regulation increases the need for enterprises to seriously consider the data they are retaining, keeping firm tabs on what they hold and how they protect it. “That’s an important aspect of data protection that up until now has been mostly neglected,” says Nunnikhoven. “In order to implement the right to be forgotten, a business has to be aware of what data they have on you. That awareness leads to better protection.”
However, the EU’s proposals don’t hinge on the assumption that all businesses are just going to adopt the measures purely for the benefit of their customers. There is plenty of proverbial stick to the regulations. “The fines have been set very high,” Nunnikhoven says. While there is to be a degree of flexibility to allow regulators to apply their judgement and some extenuating circumstances will be considered, to ensure the big boys like Facebook and Google will play ball there have to be levies that make compliance cheaper than ignoring the regulation. “With fines of up to 5% of global revenue or €100m, we’re talking significant penalties,” he explains.
Given the regulations stipulate that enterprises will need to notify regulators and customers of a data breach within a timescale as short as 24 hours, clearly businesses of all sizes will have to step up their game in how they track and manage data. Placing someone in charge of data concerns will likely be the first step. “Most organisations will have to appoint a data officer to lead the charge internally and handle communications externally,” Nunnikhoven explains.
This individual won’t just need to manage breaches when they occur but will also ensure their enterprise is managing data in a manner that keeps a closer eye on where data ends up. Currently the dominant attitude is comparatively laissez faire but this is something that will need to change. “Given the low cost of copying information, it tends to spread quickly within a network,” says Nunnikhoven. “In order to be fully compliant, organisations are going to have to exert tighter control on how and where they handle this type of data.”
Given the EU is only now putting the finishing touches to the regulation and the fact that it is unlikely to come into effect until 2016, it might be tempting for businesses to assume the General Data Protection Regulation is a distant consideration. But given the scope of the regulation and the work involved, “there’s a lot to be done to fully comply with the new regulations,” Nunnikhoven says. “The sooner you get started the better.”
He recommends starting with the basics and viewing the systems, processes and attitudes that exist around the handling of data within your enterprise. Then it’s important to start thinking about the life cycle of data within your business. “When does data enter your organisation?” he asks. “Where is it stored? How does it move through your business processes? Who has access to it? How do you retire the data when you no longer need it for your current business needs?”
Asking these kinds of questions will give an enterprise a real head-start on finding its biggest weaknesses and giving it a significant advantage in dealing with the changing data climate. “Not only will you end up complying with the new data protection regulation but you’ll also have a better awareness of your business,” Nunnikhoven concludes. “That awareness can lead to more efficient handling of data in general and that can give you a leg up, no matter what type of business you’re in.”