With the impending EU General Data Protection Regulation (GDPR) on the horizon, are you aware of the impact this will have on your current data management policies, processes and systems? For many businesses the realistic answer to this question is “I don’t know” and for most it will be “no”. No matter what industry you are in, if you handle other people’s data you are responsible for keeping it safe and bound by law to comply with data protection regulations.
This applies to data whilst it flows between departments, moves across different systems, is passed between individuals, transitions onto new platforms or programs, is handed to a third party – the list is endless. Claiming ignorance – especially once data has left the confines of the office “walls” – is no excuse. Those who underestimate the challenge of getting their data management systems and policies ready by the 2017 deadline could find themselves in severe financial and reputational hot water. As it stands, the maximum fine from the Information Commissioner’s Office for breaching the legislation is £500,000. The current plans from the EU GDPR state that fines can be 2% of global revenue capped at €100million. However the FCA who regulate the financial industry are unlimited in the fines that they can issue. Companies who suffer data breaches will also be liable to provide compensation to those affected and face the significant loss of business as information of the fines will be made public.
The desire for business intelligence :
For most organisations, a single unified data model is the ultimate dream, from which to unlock value and better serve and retain customers. Being able to analyse data and turn insight into action has delivered untold benefits to companies. At the same time, the regulations which deem how the data can be used have been tightened up to better protect consumers, providing a management headache for companies. This is turning the dream into a very real nightmare as companies look to implement changes in what is often a very complex IT environment.
The extent of the challenge ahead :
These new reforms represent the EU’s first major overhaul of data protection legislation for over 15 years, during which time significant advances have been made in the way companies use data and the technology they have in place to store, transfer and interrogate it. As a result, the updated reforms will include key changes to the way in which personal data can now be used and stored. This will have a significant impact upon organisational policies and processes, with the need to move towards a ‘Privacy by Design’ ideal.
Companies will be expected to not only have these updated processes in place, but for them to be documented and available on demand, with staff being fully aware of the changes and implications. Almost half of the organisations across Europe are yet to realise the full extent of the changes. This includes the time, effort and cost involved in implementation, which could result in devastating financial and reputational consequences.
Often, personal customer data collected by organisations is used and transferred in ways in which the customer and owner of the data may not even realise. To tighten up the movement of sensitive data, “anonymisation” will form a key part of the new regulations.
Worryingly, many organisations currently use personal data replicated from their production systems during IT system testing. The risks this brings are enormous as test environments usually have limited security and are open to a wider array of employees and third party vendors. If personal data is copied from production and inadequately anonymised, anyone who has access could potentially download data that could be used for identity fraud. A key aspect of the new regulations is that businesses will be required to anonymise data used within this process. This will significantly decrease the risk of a data breach in the testing environment and in turn, enhance security of a customer’s entrusted personal information.
The consequences of non-compliance :
When considering the implementation of these regulations, it is vital that companies make changes to data governance and policies now, implementing ‘Privacy by Design’, in order to meet the two year timeline coming into effect at the end of 2015. To put this non-compliance into perspective, a recent study found the cost to an organisation responsible for a data breach has increased each year since 2007. Today each compromised record costs an average of £104. When considering the bigger picture, this equates to a significant average cost of £2.37 million per year[1].
We are also seeing people affected by data misuse claiming compensation from companies, with a current case looking at a minimum settlement of £250 per person. In the USA, health data breach statistics alone paint a very grim picture, with the top five breaches in 2015 so far impacting 99.3 million individuals.
To avoid such consequences, action needs to be taken now. This will ensure businesses are doing the right thing by their data, whilst avoiding the unwelcome wrath of the ICO or the FCA. These two organisations are currently policing the regulation and ensuring businesses keep their data beast under full control.
To help overcome the challenges of overhauling data management systems, there are three key areas which organisations need to address ahead of the new regulations:
- Consider a robust data policy from the very beginning
Firstly, echoing the ICO’s key recommendations, nothing can beat having ‘Privacy by Design’, a robust data policy and data governance process, in place from the outset. This cost effective method of considering privacy and data compliance from the very start, no doubt helps reduce time spent on inaccurately managing data. Best practice methods such as Privacy Impact Assessments can highlight risk and help to identify sensitive data.
- Digitise and anonymise for streamlined data management
With the digitisation of systems, a single view of the customer and a unified data model have become increasingly difficult to achieve and are the biggest issues facing organisations today. The new data protection regulations will add another layer of complexity to how data is accessed and used.
Ultimately, the lack of a single view of data and how it is configured will result in organisations having limited visibility on where its data is being accessed, copied, backed up or transferred. With the upcoming regulations, this will have to change and industry experts are on hand to walk organisations through the arduous but vital process of legalising data. A key focus area of the regulation is the use of data within test environments ensuring that all data contained therein is anonymised. A mammoth task given the levels of system integration and end-to-end processing required to ensure system accuracy and stability. Choosing the right tools to manage and anonymise or synthesis data for your business is paramount.
- Invest upfront to avoid fines and derive true business benefit
Without the correct IT, policies, processes and governance in place to ensure data quality and compliance, not only could organisations be exposed to hefty fines but they could also be missing out on key business benefits.
The cottage industry of people extracting, reformatting and standardising data behind the scenes is staggering and often a hidden cost of poor data management practices. A recent assessment highlighted that a large retail organisation could save in excess of £600,000 per month simply by standardising its data model across its integrated supplier, product management, distribution and reporting systems. With an upfront investment of £630,000, savings of up to £7.2 million per year could be a reality.
Building a strong framework for data from the beginning is the ideal. The reality is that the majority of organisations are fettered by a complex, somewhat historical IT estate. They are faced with having to alter policy, processes and systems to achieve compliance. Making upfront investment now is key. Bringing experts on board to make sure data is correctly mapped, stored and used will ensure an adequate opportunity to adhere to the regulations. This will prevent unnecessary fines and ultimately boost data performance for the benefit of the business.[su_box title=”Cindy Truyens, Managing Director, at SQS” style=”noise” box_color=”#336588″]The SQS Group (SQS) is the world’s leading specialist in software quality. This position stems from over 30 years of successful consultancy operations. SQS consultants provide solutions for all aspects of quality throughout the whole software product lifecycle driven by a standardised methodology, high offshore automation processes and deep domain knowledge in various industries. Headquartered in Cologne, Germany, the company employs approximately 4,000 staff. SQS has offices in Germany, the UK, Australia, Austria, Belgium, Egypt, Finland, France, India, Ireland, Malaysia, the Netherlands, Norway, Singapore, South Africa, Sweden, Switzerland, the US and the United Arab Emirates. In addition, SQS maintains a minority stake in a company in Portugal. In 2013, SQS generated revenues of 225.8 million Euros. SQS is the first German company to have a primary listing on the AIM (Alternative Investment Market) in London. In addition, SQS shares are also traded on the German Stock Exchange in Frankfurt am Main.
With over 7,000 completed projects under its belt, SQS has a strong client base, including half of the DAX 30, nearly a third of the STOXX 50 and 20 per cent of the FTSE 100 companies. These include, among others, Allianz, Beazley, BP, Centrica, Commerzbank, Daimler, Deutsche Post, Generali, JP Morgan, Meteor, Reuters, UBS and Volkswagen as well as other companies from the six key industries of SQS.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.