Today is Data Privacy Day. Guy Bunker, SVP products at Clearswift, joined us for a Q&A.
How will the EU Data Regulations affect businesses?
There have always been regulations, this is just an update, however it is a very important update as the level of fines has substantially increased and is now based upon global turnover. For most organisations, 4% of global turnover (or 100M EUR) would substantially impact their business and could result in it going out of business.
The new regulations also require a new role, the Data Protection Officer (DPO), Depending on the size of the company and the number of personal records held, organisations will either have to have their own DPO or to share one with another organisation.
The reach of the legislation goes further than before, not just any company which has EU citizen data – no matter where they are located in the world, but also across data processors and the supply chain.
Privacy has increased in importance, and ‘the right to be forgotten’ is often seen as not being applicable to most companies, when it actually is.
How ready are businesses for the impending regulations?
Most businesses are unaware of the details for the new regulations – and as such are unaware as to how prepared (or not) they are. There are 12 key points that organisations need to be aware of, these should be examined and a plan put in place to address each. There is a need for prioritisation to ensure that the items are tackled in an order which is best suited to the business.
What can businesses do to make sure they are ready?
The legislation is around critical information – understanding the organisations critical information especially that which is covered by the legislation is essential. Where is this information, how is it stored, who has access, how is it protected? When this data has been uncovered, there is then the need to map where it is touched by the legislation and then how best to protect it, or ensure it is compliant. For example, the right to be forgotten can apply to comments posted by people onto a website – understanding that this information is collected, and there is a requirement to be able to delete it is very important.
What punishments can businesses expect if they don’t comply with the regulations?
Big fines. Headline grabbing amounts could be dished out, however as this is a percentage of global revenue and applies to 4% of global revenue. This is a move away from a fixed maximum fine which varied by territory. Of course the fine is only a part of the impact from a legislative breach, reputational damage as well as increased fees from increased auditing will also have a major impact.
Is there anything in the regulations that you believe is unattainable for businesses?
Everything is attainable, however the costs might be prohibitive for some items. Employing a DPO is an obvious cost, but even items like ‘right to be forgotten’ has a cost impact – how log (and who) will remove the requested information? This is why understanding the information (what, where, who etc.) is so important, without that the cost to comply with the legislation will be significantly more than necessary.
Is there anything that you believe the EU is not being firm enough on?
For cyber-attacks there is a need to share information in order to mitigate their impact on other organisations, the EU should be driving towards both a standard to sharing cyber-attack information as well as an efficient way to disperse this information. This could be done by size of company or by sector.
The other area is promoting/communicating the new regulations and what they *actually* mean for business – across the whole of the EU. This should go to consumers as well as businesses so everyone knows what the EU is doing to protect its citizens’ data.
Will the regulations encourage businesses to take cyber security more seriously?
It will be the potential of a massive fine which will ‘encourage’ businesses to take cyber security seriously. Regulations have been around for many years, so for the larger organisations it will be a case of improving what they have. For those smaller / medium sized organisations, the new regulations may prove to be a surprise.
Will the regulation effect businesses views on the upcoming UK EU referendum?
No. The regulations will come into effect for and business which does business in the EU… so for most businesses it will have an impact whether we are in our out of the EU ourselves. If the UK was outside the EU, then it would require a similar legislation to keep the UK citizens’ data safe. This would either be like the EU (and the new legislation) or like the US…
