The EU’s General Data Protection Regulation (GDPR) is now just five months from coming into force. It offers challenges for companies and organisations, and opportunities for professionals. The EU wide rules take effect from 25th May 2018 and cover any company or organisation holding data on EU citizens, wherever it is based. GDPR seeks to tighten up and modernise the existing regulations which are now 23 years old.
Among its provisions GDPR will require explicit consent for marketing contact, and restrict the ways that data can be used and stored. Most notably companies will be required to focus on data protection by design and default – that is the concept of protecting data needs to be built in to the systems used to store and process it. This includes policies and processes, digital security protocols and physical security of data storage devices and facilities.
One tricky factor to navigate is that the new rules also allow individuals greater access to the data organisations hold about them, as well as a right to data portability, that is to have data an organisation holds transferred to another data controller. This means that firms will need to develop ways to make data both secure and available, primarily through thorough identity verification prior to allowing access.
The new regime also introduces a duty on data holders to report any breaches of security to the appropriate regulator (for the UK this will still be the ICO) within 72 hours of discovering the issue, and in some cases to actively inform affected individuals. This means that the approach taken by Uber last year, when they paid the ransom demanded by data thieves and tried to keep the breach a secret, would attract official sanction.
Regulators will be able to levy harsher fines than ever before, too. The maximum fine for breaching the rules is €20 Million, or 4% of global turnover, whichever is higher. To put that into context, the maximum fine for Uber’s cover-up of their ransomware attack, had GDPR been in force, would have been a whopping $260 Million. The complexity of the requirements and the scale of punishments available to regulators has led many companies to see GDPR as a challenge to worry about.
For professionals in various fields though, the implementation of the new rules provides a bonanza of contract opportunities. While the first thing we think of when it comes to data protection might be IT, and the challenges of protecting against malware attacks, the need for experts goes beyond that. The massive overhaul of procedures and systems may in fact require large scale, multi-discipline projects, especially for large firms. Processes need to be designed and implemented, staff require training and physical security of premises and systems will need to be evaluated.
Nor is the requirement simply a one-off opportunity in the run up to May’s implementation date. If firms are to maintain compliance there will be an ongoing need. New staff will need training and existing staff will require refreshers, compliance will need continuing monitoring, and any new software or hardware installed will necessitate reviews and updates to the company’s data protection policy.
Above all there is little hope that the malware threat will diminish anytime soon. Cybersecurity experts McAfee Labs report that they saw four new malware samples a second during the third quarter of 2017, a total of 57.6 million samples. McAfee’s chief scientist, Raj Samani, worries about organisations’ failure to address known vulnerabilities, a basic requirement of GDPR. “Although attackers will always seek ways to use newly developed innovations and established platforms against us, our industry perhaps faces a greater challenge in the effort to influence individuals and organizations away from becoming their own worst enemies,” Mr Samani explains. For consultants not just in IT Security but in many other fields, embracing this challenge could prove to be a steady stream of work.