On 25 May the one-year countdown clock started ticking to the biggest shake-up of Europe’s data protection laws in a generation: the General Data Protection Regulation (GDPR). Yet despite the best efforts of UK privacy watchdog the Information Commissioner’s Office (ICO), the European Commission and other key stakeholders, it appears as if many organizations are still dragging their heels over compliance. A new Freedom of Information (FOI) request has revealed that a staggering 82% of local councils in the UK have yet to allocate budget to the task.
To avoid punitive fines and negative publicity, organizations need to start planning now, and make cybersecurity central to their strategy.
The FOI findings back up similar research revealed by the ICO back in March. It found that a quarter of UK councils still hadn’t hired a Data Protection Officer (DPO), one of the key requirements of the GDPR which could result in a fine of 2% of global annual turnover or €10m (£8.9m) for non-compliance. It also found that a third (34%) of councils haven’t conducted privacy impact assessments (PIAs) – another key stipulation – and 18% aren’t training employees in data protection best practices.
It’s not just the public sector that’s been apparently slow to move on GDPR compliance. Professional IT network Spiceworks polled over 770 IT pros across Europe recently and found that although UK organizations are in general better prepared for the GDPR, only 40% have started compliance efforts, versus 28% in the rest of the EU and just 5% in the US. More concerning still, less than half in the UK (43%), and rest of Europe (36%) were said to be informed about the potential business impact of the sweeping new regulation.
Time to plan
So what exactly will the impact be? The GDPR is extremely broad in scope and ambitious in scale. It will affect every organization in the EU and/or those processing data on EU citizens. The key guiding aims behind it are laudable: to make Europe’s data protection laws fit for the digital age, offering new privacy rights for consumers and some onerous new obligations for organizations in the process.
Aside from the appointment of a DPO, there are two main aspects that will stand out from a data protection perspective:
- Organizations suffering a data breach will be mandated to notify the relevant authorities within 72 hours
- Maximum fines of 4% of global annual turnover or €20 million (£17.7m) can be levied for severe infractions
It’s not difficult to see why the GDPR should serve as a wake-up call to organizations to ensure their cybersecurity controls are fit-for-purpose. The stakes have been raised significantly in terms of the potential financial impact of a breach, whilst the GDPR also ensures that there’s no longer anywhere to hide for firms looking to sweep incidents under the carpet.
The bottom line is, firms must ensure they are following cybersecurity industry best practices. They must do so not only to avoid a damaging breach – which will certainly be made public thanks to the mandatory notification requirements – but also to appease regulators that they did everything in their power to protect customer data.
How do I comply?
The problem for compliance officers and IT security chiefs is that the regulation is far from explicit in terms of naming the tools and technologies organizations need to put in place. In fact, this is probably a deliberate attempt to future-proof the GDPR as far as possible. However, the regulation does state that data should be processed so that it “ensures appropriate security of the personal data, using appropriate technical and organizational measures”, taking into account “the state of the art and the costs of implementation”.
So, what exactly constitutes “appropriate”? Certainly industry best practices, including requirements set out in standards like ISO 27001 and even the governments Cyber Essentials Scheme could help IT leaders map out what elements to include. The National Cyber Security Centre (NCSC) has also issued a handy 10 Steps to Cyber Security guide.
The following might be useful to consider when drawing up your GDPR compliance strategy:
- Establish and test thoroughly a comprehensive breach/incident response plan
- Tighten access controls; enforce multi-factor authentication and “least privilege” access policy
- Continuous monitoring of all systems will help spot unusual behavior indicative of a breach
- Ensure all systems and software is patched and up-to-date
- Regularly back-up data securely
- Ensure all layers of your infrastructure are protected, including: next generation network firewalls; physical and cloud servers; and email and web gateways
- Strong encryption for sensitive customer data
- Comprehensive end user education, including how to spot phishing attacks
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.