Ben Jepson, director at global cyber security and risk mitigation specialist NCC Group talks to Finance Monthly about the upcoming General Data Protection Regulation offering advice on how the financial sector needs to prepare in order to comply before the regulation comes into force in 2018.
If you’re a business in the European Union (EU) you currently have to adhere to the EU Data Protection Directive. Broadly, this covers the processing of individuals’ data and it first came into force in 1995. Given the way technology has evolved since then it’s not surprising that it’s due a refresh.
That’s exactly what the EU has done, and in two years’ time the new EU General Data Protection Regulation (GDPR) will be implemented. The GDPR will not only update the previous directive, but will also introduce new controls that all organisations within the EU (and those outside that do business with companies based in the EU) will need to comply with to avoid the large fines that are being introduced. The implications of these changes are something that all company executives need to be aware of.
Here is a snapshot of the key changes:
Mandatory Data Protection Officers
Large organisations will have to have an appointed officer to ensure the regulations are met and the organisation is compliant.
Mandatory breach notification
All data breaches that an organisation experiences must be reported to the relevant country authority (ICO for the UK & Ireland) within 72 hours.
Notification & Consent
Consent must be explicitly given for all processing of personal data and data subjects must be fully informed of the purpose for the processing in plain and simple to understand terms.
‘Right to be forgotten’
A clear, defined and executable process to delete all information stored in any form about a specific person must be in place to comply with the person’s ‘right to be forgotten’.
Data protection by design
All new initiatives must be designed with the protection of personal and sensitive information as an integral feature.
Penalties for data breaches of up to 4% of worldwide annual turnover or €20 million (£16 million) (whichever is greater) are being introduced as part of a tiered fine system.
With these changes coming into force in just two years, there are plenty of steps businesses should be taking now to prepare. Although a two-year lead-in period before the GDPR is enforced may sound like a long time, thought and effort are required now to ultimately ease the pain further down the road.
The number of changes means that a lot of preparation is necessary. If we were to distill this down to six measures, we’d recommend the following:
Ensure you are following the current requirements of the Data Protection Act 1998. These eight principles provide a framework for keeping personal and sensitive information secure while ensuring it is handled appropriately. If you are fully compliant with these current requirements you are already part of the way towards GDPR compliance as well.
Understand what the GDPR will change and how the changes will affect you. There are certain areas within all businesses that may be greatly affected by the new controls. For example, marketing departments will likely need to change all of their current processes and methods of customer contact. With the introduction of explicit consent including the requirement to provide ‘opt-in’ for all contact, these departments can expect to see a significant reduction in customer uptake of services once the GDPR comes into force.
Reassess the security of data processing. There will no doubt be an increased focus on the security of data processing. Although GDPR doesn’t define exactly what organisations need to do, there are a number of core security principles that need to be adhered to. These include the encryption of personal data, the ability to ensure the integrity and resilience of all systems and services, the ability to restore data quickly following an incident and carrying out regular testing to ensure the security of data processing is being taken seriously.
Obtain senior, board-level buy-in.
Change will only ever occur if it is driven from the top. With so many new requirements that will likely involve significant investment of time and money by the organisation, having a top-level sponsor who understands what changes are coming and why is crucial for overall success.
Review internal skills and resources to ensure that changes over the next two years can be and are implemented by employees with relevant abilities and authority. This may require recruitment (especially for a Data Protection Officer if you do not already have one) and even the creation of a project manager to map and deliver compliance within the set timescales.
Training and awareness is another area where organisations will need to dedicate time and resources to ensure that all employees are aware of their responsibilities as well as the changes that the GDPR will bring. Awareness now will help to ensure that new processes and procedures are fully embedded by the time the GDPR comes into force in 2018. Arguably the most important of these is the senior, board-level buy-in, as this will ensure the issue is given the time and resource it deserves. With significant fines now in the offing, compliance with the GDPR – and an associated cyber security strategy focused on resilience – becomes something that board members should understand and take ownership of.