For those who have been living in a cave and missed all the talk of the European GDPR (General Data Protection Regulation) over the past few years, this new regulation caused quite a stir in the lead up to its launch on May 25th 2018. Promising record fines for non-compliance up to a maximum of €20 million or 4% of the offending company’s global revenue, this was the data protection regulation to end all data protection regulations. Many non-European businesses mistakenly believed that they were exempt from the regulation and the fines associated with it, but a steady education campaign across many different media outlets soon changed that opinion.
A toothless wonder?
While many businesses took affirmative action and ensured that they were compliant with the GDPR, a number took the stance of “let’s sit back and see what happens”. I heard a number of people describe GDPR as being like the Millennium Bug, saying that it’ll come and go without any real change – like the famous line from T.S. Eliot’s The Hollow Men: “not with a bang, but a whimper.”
Is that actually the case though? Looking at recent reports of high profile data breaches, it certainly seems that companies are taking the threat of the fines seriously, if nothing else. Article 33 of the GDPR states that data breaches involving personal data must be reported within 72 hours. In 2017, Equifax detected a breach at the end of July, but announced it in early September. While this was very fast compared to Yahoo, who disclosed data breaches that occurred in 2013 and 2014 a little later (in 2016!), compare that to the much more recent breach at British Airways. The attack began on August 21st, was stopped on September 5th, but announced in under 24 hours. At a recent London cyber conference, James Dipple-Johnstone from the ICO revealed that they are being swamped with calls from companies reporting breaches – around 500 calls a week! The breach notification aspect of GDPR is being taken seriously by businesses, but apparently many are giving incomplete breach reports as many reporting the breach are not authorised by their general counsel to give more details.
It’s all about the money, money, money
In 2011 Jessie J may have sung that it’s not about the money, money, money, but in 2018, it very much is all about the money. The fines that the GDPR threatens should be enough to make any company director blanch with fear, but have we seen any huge fines for non-compliance yet? So far, it doesn’t appear that many have been issued, and certainly none in the millions of Euros range.
Each region has a regulator that is responsible for issuing these fines, and in the UK it’s the Information Commissioner’s Office (ICO). They have a page on their site that shows enforcement action that they are taking. It makes for interesting reading with companies fined for illegally collecting and selling personal information, making nuisance calls, and sending nuisance emails. These range from £60,000 to £140,000, so a sizeable amount, but possibly not enough to deter firms from these practices.
A storm’s a-brewin’
With Brexit on the horizon, an additional challenge is added into the mix. Should Britain leave the EU in a “no deal Brexit”, then companies that transfer sensitive data between the UK and countries in the European Economic Area (EEA) could find themselves in somewhat of a pickle. A substantial part of the GDPR covers data transfer, which restricts transfer of personal data outside of the EEA unless there are specific measures (known as standard contractual clauses, or SCCs) or adequacy decisions (effectively an approval by both sides of the data protection measures in place) in place with the destination country. The UK will become a “third country” (as the GDPR refers to non-EEA countries), which could slow down or prevent some companies from operating properly.
It’s too early to tell if British Airways will be fined for the recent breach, but one thing is for sure – enterprises around the world are taking GDPR seriously, and taking action appropriately. The threat of the fine is a deterrent, but perhaps more so is the worry of reputational damage. As every industry becomes more and more competitive, companies have to protect their reputation to ensure that their customers don’t leave them and damage the bottom line. It’s never too early to start thinking about where and how you’re storing and securing your (and more importantly, your customers’) data – whether you’re using public cloud, private cloud, in-house servers or cardboard boxes filled with bits of paper.
If you’re storing or processing personal data for residents of the EU, then you need to be aware of the GDPR and certain that you’re complying with it. Just as it’s never too late to discover just how well orange marmalade works under cheese on toast (if it’s good enough for Martha Stewart…), it’s never too late to begin working towards GDPR compliance (but possibly slightly less fun and definitely not as tasty).
There are many websites that can be found containing useful information to help a business get started. It’s important to note though that there is no magic wand to “fix” GDPR for you. GDPR isn’t a technological solution, it’s something that requires changes to working practices, policies, company culture and some technology to help. It’s also not something that can be done once and then forgotten about – your GDPR compliance should be treated the same as any other regulatory legislation that you must comply with. It’s an ongoing process, which will need regular care and attention (like growing and caring for a plant).
Ensure that you know where your data is stored and then compare that to where it should be stored; who can access it compared to who should be accessing it. Check your backups and any test and dev environments – are you transmitting data for backup/recovery or to test your code outside of your primary data centre? How is your infrastructure secured? It may be that you find that your own private cloud is the right solution for you – something that you can locate in the geographic region of your choice, and fully customise for security and access controls, as well as size and power. Make sure that you have a plan in place for when (it’s no longer if, any more) you get a breach – ensuring you know who your local regulator is that needs to be notified of breaches, being certain that whoever will be reporting breaches to the regulator is able to give a full report, and that your staff are all aware of their responsibilities under GDPR. This is by no means a complete list of how to get your business in good shape for GDPR, but a good starting point. If you are really unsure where to start, then try to find a consultant that can help you, but beware those selling snake oil and promising quick fixes or results.