EU Regulation: time to act on corporate data protection
The recent spate in data breaches and security threats that continue to make global news headlines serve as a constant reminder of the need to improve monitoring and protection of corporate data.
But if European businesses thought things were challenging now, then the impending changes to the EU Data Protection legislation for protecting personally identifiable information (PII) for all EU citizens – which will impose stricter fines on companies that suffer data breaches – will simply amplify that.
The reality is that many businesses don’t even know they are losing data, never mind which data is being lost. And, with heavier fines likely to be inflicted on companies that suffer data breaches when EU Member States agree on the new regulations, there has never been a more pressing time for businesses to get their security controls in order.
The good news for businesses that need more time to do this, is that the EU Regulation proposal agreement is likely to be delayed until later this year or next and isn’t likely to kick in until 2017. However, companies shouldn’t make the mistake of seeing this extra time as an opportunity to put the project on hold until it gets closer to the deadline, as existing legislation still requires businesses to protect PII. The truth of the matter is that this is a strategic process that requires time to get it right.
What the EU Regulation means
The new EU Regulation will place stronger restrictions on companies’ data protection policies and systems. For starters, as it is a Regulation it becomes law in each EU Member State once it is passed and will replace the current Directive that has been in place since 1995. The Regulationwill further empower the Information Commissioner’s Office (ICO) with the EU’s backing to tell companies they must take action on data protection.
The European Parliament has approved the proposed legislation with the proposal now in the hands of the EU council to finalise and agree. The proposal will provide EU-wide regulations for data controllers and processors. In addition it will create a central EU authority that provides a single set of rules for all EU member states, as opposed to the current setup whereby each country deals with it themselves. In the case of the UK, it will supersede the current UK Data Protection Act (DPA).
The current EU Directive and UK DPA are widely considered to have limited effect, with it being reported that organisations are often happy to take the fines for suffering a data breach rather than spending the significant time, resources and funding on implementing a data protection security programme or devising major strategy shifts. Indeed, at a recent financial services roundtable, a number of security professionals reported that their boards do not currently feel the ICO has the power to come after them, and they are more than willing to accept the risk and even the maximum £500,000 penalty.
This leniency will change dramatically if and when the EU Regulation comes in to play. Under the new proposal any data controller must notify the ICO within 72 hours of becoming aware they have suffered a data breach. They could incur fines of up to five percent of their annual worldwide turnoveror €100 million if they are found to have been negligent in protecting their data, not to mention the impact the disclosure will have on their brand across the EU.
However, this legislation isn’t simply about fining organisations and it isn’t going to result in fines being issued overnight. It’s about encouraging organisations to become better at detecting breaches and helping security professionals be better informed to advise the boardroom of the effects of the legislation. They need to know what’s being proposed so they can improve data protection and better manage or potentially increase their security budget spend with the ultimate aim of better protecting EU citizens’ data.
Businesses are not prepared
Independent global research suggests that businesses are nowhere near prepared for the new regulations to come into place. Four fifths of the 5,000 IT security professionals surveyed explained that they believe their executives do not link data breaches to financial loss, a position that will have to shift swiftly. Whereas in fact, Ponemon Institute data estimates that the average cost per lost or stolen record due to a data breach is $188, while the average cost of an organisational data breach is $5.4 million – figures that will only increase with the introduction of the new regulations.
Less than half of the IT security professionals researched felt they had a good understanding of the threat landscape facing their company. Worryingly, only a third of respondents that had suffered data breaches (35%) knew exactly what data had been stolen from them. It is therefore clear that business security is deficient, security intelligence is worrying low and that user education levels need improvement.
Organisations that are investing heavily in monitoring, processing and managing their networks have no excuse for not protecting their data.They need to learn to spend their security budget more appropriately with a move away from infrastructure-only security, to a modern and more successful risk-based, data-centric strategy.
Time for change
The greater threats facing companies that fall foul of the law make it even more of a necessity that every individual within an organisation is fully aware of the risk. Security professionals need to build a culture within their companies whereby employees constantly consider the privacy risks that surround every process they take.
The ICO is advising businesses to be prepared and start planning their approach to dealing with data breaches now, which is absolutely vital as the process doesn’t happen overnight. Security teams must start realigning their strategies to ensure that they are prepared to answer any questions about the regulation changes as and when they come from board level. Failing to be prepared and ready is a sure-fire way of alienating the board while putting the business at risk of not only suffering data breaches but also incurring damaging financial losses.
The rise of the DPO
The Data Protection Officer (DPO), for those organisations that have one, will have a vital role to play when the new legislation comes into force. They are fully responsible forensuring that their organisation is aware of and complies with legislation.
All too often the DPO sits on the legal team and may be unwilling to get involved or engage with the information security team. They now need to be fully aware of the technology that is being used to protect data and become part of the general security education within the organisation. To assist them in this mammoth task, they will need to define and delegate to information owners, who will act as a data protection representative across each business unit.
The onus is now firmly on security professionals to ensure their organisations have robust data protection policies in place and that all staff are aware of the risks they could expose their company to. The impending changes to the law will up the ante, making it imperative that businesses start planning for the future now to ensure they are better prepared against the ever-increasing number of cyber-attacks they face and don’t leave themselves vulnerable to the stricter new regulations.
The proposed EU Regulation allows for a two-year preparation period purely for the purpose of helping companies get better at detecting data breaches, so there is no excuse for companies that are not getting started on this immediately. To get the ball rolling, greater education on data protection for all employees, in addition to developing rigid data protection policies, is absolutely imperative over the next two years.