28 February 2017
Blogs by author: Bas de Graaf , Head of Product Management, Security Consulting, BT.
You have just one year and a few months to prepare your organisation for the new EU Data Privacy Regulation. Here’s what you need to know.
Setting the cyber scene.
The world is undergoing a digital transformation. Smart cities, the Internet of Things (IoT), social media, mobile devices, cloud computing; they’re all part of this transformation. And they have one thing in common — they use and generate huge amounts of data.
It’s not just the amount of data that’s rising — it’s the value of data too. As more and more confidential data is generated or captured by institutions such as banks, government agencies and healthcare organisations, a growing community of cyber criminals looks to get their hands on this valuable commodity.
This is what led the European Parliament to devise a new regulation to replace the 1995 Data Protection Directive. After all, in terms of technology, 1995 does feel like a lifetime ago.
This new regulation, EU 2016/679 (also known as the General Data Protection Regulation or “GDPR”), comes into effect from 25 May 2018 — and it means you’ll have to change how your organisation deals with personal data. A significant impact of this new regulation is that if a security breach occurs and you are found to have been non-compliant, you could face a fine of four per cent of your annual revenue.
An example of what it could mean for you.
GDPR could have wider implications for your business than you think. There are a number of ways that you could be affected. Let’s use BT as an example: for us, everything, from the personal data involved in our payment services to information that passes through our data centres, is affected by this new regulation.
What you can do to prepare.
You’ll be pleased to know that there are steps you can take to prepare your organisation. To name but a few, you need to:
◾develop specific data-protection programmes
◾have a proper understanding of data flows (and their associated business processes)
◾review and possibly redesign your security architecture
◾implement appropriate technical and organisational security controls and continue to review their effectiveness
◾develop security processes to detect and mitigate data leaks.
Here’s the problem though, some of the requirements especially those around security are already in place whilst you need to do all of these and more in just a year and a half — a tight deadline by any organisation’s standards. But before you start to panic, here’s the good news: we can quickly help you to review your existing security and see if there are any gaps.