Businesses across Europe are facing up to the reality of new, more stringent EU Data Protection Regulation around the control of personal information. The rulings are in the final stages of European Parliamentary agreement, with fines proposed being of up to 2% of global turnover, or €100,000,000 to be handed out to those who don't comply. These are no longer directives. The European Parliament vote in May 2014 ensured that this will become law so every EU organisation, as well as any from outside the union who handle EU citizen data, must fall into line before they are introduced.
With the financial penalties, and also the reputational damage from getting caught, it is understandable if the news from last month of a potential delay in their introduction may have come as something of a relief. However, rather than a sign of any creeping doubts, organisations should in fact treat the delays as a commitment from the member states to getting this right in ensuring it is enforceable. At this critical time business leaders must not rest on their laurels and assume they and their IT department have plenty of time to address this issue; for this simply isn't the case.
For directors, managers and CEOs of any EU company which holds personal data, 2015 must represent a year of reviewing and adjusting internal policies around data privacy and security, to lead the business-wide change that will ensure compliance.
This might all sound like major upheaval, however rather than a revolutionary change, adapting to the new realities around personal data privacy will be more about improving existing approaches with best practice, which might even deliver unforeseen benefits. For example, many experts are suggesting that one overarching regulation will cut down on the overheads of complying with multiple local data protection acts, for businesses with operations in various countries.
So what role can Executives play in this essential change in day-to-day operations? The first task would be to get to know not just the legislation but also the true amount and type of data held by your organisation. The fact is you will only know your weak points if you know what you have. This is a slightly complicated, but highly valuable exercise which will require your data processing team to look across central networks and infrastructure, temporary, structured and unstructured, as well those owned by third party organisations.
This type of internal review will also help you avoid making unnecessary changes to existing policies. Many of the regulation requirements are specific to businesses holding certain amounts and types of data. For example, organisations that process data related to 5,000 or more "data subjects" will be required to appoint an independent Data Protection Officer (DPO) for two years. However those without that size of customer information base aren't required to do so.
The best way to achieve a better understanding of the steps you need to take is to create a cross functional team bringing together the data owners from the business and your data processors in IT to see how you currently measure up to the legislative requirements for your type and size of organisation. This will help everyone to understand where changes need to be made, including within their own remit going forward. Employees should also be consulted on the full range of tools and devices they are using to share and communicate data internally and externally.
From a technology point of view, many security providers, including ourselves at Clearswift, have identified the need to provide solutions to data loss that ensure compliance with the new regulations. However we are also acutely aware that any data loss prevention solution must avoid unnecessarily impacting day to day operations. The fact is too many businesses will turn to a ‘stop and block' approach to security that ultimately limits productivity and hinders collaboration, rather than a more adaptive data loss prevention solution that allows continuous communication and supports business agility.
Whatever the appropriate technology solution, even the smartest piece of kit can be fatally undermined if not accompanied by staff education and internal data policy reviews. Here again senior management must be seen to take a leading role to inspire business wide engagement. As with technology, the best decisions can only be made if all the information in terms of the data owned and how it is shared, stored and accessed is well understood by both technical data processors in IT and the senior management whom they report to.
Heath Davies is the CEO of Clearswift, a UK data loss prevention company. For more analysis of the data regulations please visit - http://www.clearswift.com/blog/2015/01/28/data-protection-policy-are-you-ready-2015
For more information on Clearswift please visit - www.clearswift.com
