Subscribe - news & resources
The European General Data Protection Regulation: Time to Get Serious About Data Security
By Raimund Genes, Global CTO at Trend Micro
The European court’s rejection of the 15-year-old ‘Safe Harbour’ agreement last month should have been a wake-up call to UK businesses. By taking away the longstanding safeguards governing data transfers between the EU and US, it should have forced British firms to look closely at their contracts with American cloud service providers and what data security controls they have in place. The new Safe Harbour is still some months away from being agreed. But there’s a potentially even bigger piece of regulatory change coming down the road and gathering speed all the time: the European General Data Protection Regulation (GDPR).
It’s time UK firms started getting serious about making sure their house is in order for this major change in European law.
A bit of background
The details of the GDPR are still be finalised, but it’s safe to say that the main changes we’re likely to see will leave no place to hide for firms which don’t take their data security seriously. It’s particularly important that those which store data in the cloud realise that they can’t simply hand over responsibility to their third party provider.
Here are the main points as they stand:
- Fines: penalties of up to 5% of worldwide annual turnover or up to €100 million (whichever is greater) for contravening the GDPR
- Breach notification: firms suffering a data breach will be forced to notify within 24-72 hours
- Privacy impact assessments: mandated for any new services your firm wants to launch which may affect personal data and the principle of ‘privacy by design’
- Privacy by Design: requires all business processes be designed with data protection in mind
- Customer consent: must be obtained by any firm via opt-in from customers for the collection and use of their data
- Right to erasure: firms must erase any personal data and related links if that data is no longer accurate and individual circumstances have changed
With severe penalties for non-compliance and a raft of onerous new obligations, the regulation will force firms to take a best practice approach to data handling and security. Here are a few steps to get you there:
Data governance: know where all your data is and ensure that it can legally be held there
Data Security: re-evaluate security policies. Invest in a provider who can offer at a bare minimum encryption of data in the cloud, advanced anti-malware, IDS/IPS, virtual patching, DLP
CSPs: due diligence is more essential than ever before choosing your cloud provider. Ensure you know where their data security responsibilities stop and yours begin. Consider partnering with ones that run an EU datacentre
Data Protection Officers: appointing an independent, dedicated role to oversee all matters relating to data protection would help hold both the IT department and the board to account and spearhead efforts to improve data handling and security
Trend Micro and international law firm Hogans Lovells will be discussing the impact of the European General Data Protection Regulation at an upcoming webinar hosted by Computer Business Review (CBR).
- Conor Ward, Consultant at Hogans Lovell, and Chair of the Cloud Industry Forum’s – Legal Forum
- James Walker, UKI Enterprise Security Consultant at Trend Micro
The webinar “How the upcoming EU Data Protection Regulation is forcing businesses to change” will discuss the regulation in its current form, what the upcoming changes mean to UK businesses and what you can best do to prepare. If you’re in any doubt about the EU GDPR and its implications this is a must-join event.