Key stats on GDPR:
Compuware – taken from its May global survey of 400 CIOs conducted by Vanson Bourne:
- 67% of European and 88% of U.S. organisations with European customer data say they are well-briefed on GDPR; an improvement on 55% and 73% respectively when the same question was asked last year.
- On average, 38% of all respondents have comprehensive plans for GDPR compliance, leaving the majority at risk of non-compliance fines.
- The UK fell well below average, with just 19% having comprehensive plans, which marks only a marginal improvement from 18% last year.
RSA – taken from its May survey of 2,045 UK consumers (carried out by Lightspeed Research on behalf of RSA):
- Only 15 percent of respondents have heard of EU General Data Protection Regulation, while 76 percent have heard of the UK Data Protection Act
- More than half (53 percent) believe the fines proposed under EU GDPR are fair (up to €20m or 4 percent of annual turnover, whichever is higher)
- 28 percent said they have chosen to boycott companies that mishandle data, using more secure alternatives instead
Expert comments:
Dr Elizabeth Maxwell, PDP, Technical Director, EMEA at Compuware:
“With just 12 months to go, organisations across Europe are making steady progress towards GDPR compliance, but it just isn’t happening fast enough; especially here in the UK. Research recently found that less than one in five UK organisations have a detailed plan in place for how they will comply with GDPR – putting it in last place, and a long way behind the global average of 38%.
“This lack of preparation in the UK may be largely because of the initial uncertainty over the impact of Brexit on the need to comply. However, we now have clear guidance that UK organisations will need to comply, and a failure to do so could expose them to the risk of fines of up to €20 million, or 4% of their global turnover – whichever is greater.
“To prepare effectively, organisations must improve their data governance capabilities across all platforms—especially on the mainframe, since that is where the majority of customer data resides. That might seem like a burden, but as well as supporting compliance with GDPR, modernised approaches can help to reduce the man-hours needed to handle data collection and management, leaving IT teams free to concentrate on analytics and innovation; creating a win-win scenario for both organisations and their customers.”
Rashmi Knowles, Field CTO at RSA:
“When you read headline after headline of high profile data breaches, it is easy to despair and lose trust in businesses’ ability to look after our data. Things are only going to get worse once mandatory breach notification is introduced under the GDPR, as these breaches will become even more public.
“We can see some consumers are already boycotting companies that mishandle data, so this should be a real wakeup call – particularly when you add that to the potential penalties that could be imposed. Organisations can no longer see data breaches as an abstract tech or IT problem; boycotts and penalties are serious business risks and should be a board-level business issue. Make no mistake, there will be businesses that will never fully recover from such a fine, if they don’t go out of business entirely. We will all know of the EU General Data Protection Regulation then.”
Richard Porter, UK Sales Manager at Human Inference:
“GDPR has primarily been viewed as a data security challenge, but overlooking data management concerns puts organisations at risk of falling foul of the new rules. To ensure compliance, there are five key data management principles to follow. First off, make sure that all data is stored appropriately. Data cannot be stored after it has served its initial usefulness, and must be removed promptly. Next, businesses need to give all customers access to their own data. When a legitimate request is made, they must provide ready, comprehensive access to all relevant information.
“It’s also critical to be able to amend inaccurate data; this means opening up the personal data to modification by consumers. A consumer also has the right to obtain the erasure of personal data. While this is only permitted under specific grounds, when a genuine request is made organisations need to act quickly. Last, but not least, organisations need to remember that the consumer has the right to transmit any personal data to another organisation without hindrance.
“The five principles highlight a single risk. If customers’ data is fractured and inconsistent, organisations will have less unified control, without which it will be much more difficult to meet GDPR demands. The aim should be to create a single ‘Golden Record’ for each customer: a unique overview that describes the individual’s personal details any other contextual information in an easy-to-share format. If the organisation is confident there is no potentially sensitive data out of its control, then it will not only be compliant. It will also create a single view of the customer that can support smart data management across the business.”
Danielle Jackson, Chief Information Security Officer at SecureAuth:
“GDPR is a catalyst which will change the way organisations view, store and secure their data. For CISOs and their organisations, it means a new standard for data protection and ensuring the right policies are in place to ensure compliance. With the one-year countdown starting, CISOs need to talk to their organisation about introducing transparency to what data is being collected, how it is categorised and secured, and when personal information is exposed in a breach. Now is the time for CISOs to put good practices in place. Securing the user and how the user accesses data is a good starting point. With stolen credentials being the leading cause for breaches and non-compliance to GDPR meaning a serious financial penalty, finding ways to combat that risk, reduce your threat landscape and strengthen overall security posture.”
Robert Coleman, CTO UK&I at CA Technologies:
“One year from today the GDPR will come into force and any organisation, anywhere in the world, that processes EU citizens’ personal data must comply with it. Compliance will be no mean feat for anyone, no matter their size, requiring vast amounts of time and resource. The first step to getting ready in time is to create a cross-functional programme of work containing representatives from Legal, IT, HR, Business Units. This is not just an IT problem!
“The GDPR introduces a move toward privacy by design, meaning that organisations will have to build safeguards into processes, such as testing and development, from beginning to end. Over the next 12 months, organisations must become accountable for the Personally Identifiable Information (PII) they hold. They need to know where it resides, how they can secure it (at rest and in-flight) and if they have a breach, how will they know about it? Organisations must also ensure data can be encrypted in production environments, masked and anonymised for use in development and test environments; and that access is controlled to PII data using Identity Management, Privileged Access Management and Strong Authentication techniques.
“The regulatory approach taken by the EU is all “stick” and no “carrot” and the penalty provisions for not fulfilling the detailed requirements are much more punitive than the currently active legislation. It remains to be seen how hard organisations that fall foul of GDPR regulations will be hit. But we can be sure that come May 2018, few excuses will be accepted for not having robust processes, technology and organisational structures for managing and securing personal or private data in place.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.