InfoSec 2016: GDPR hangs heavy over Europe

New EU regulations causing a stir in London’s security conference.

It is 23 months, 2 weeks and 2 days until the EU General Data Protection Regulations come into force. Across this year’s Infosecurity Europe conference in London, the prospect of GDPR hangs heavy.

“The most massive health & safety and employment law are nowhere near as big as GDPR,” said PwC’s Stewart Room. Where employment laws might only affect you while you’re in work, “from the moment you’re born until you’re in your box, you’re a beneficiary [of GDPR].”

Various talks throughout the event remind of both the time until GDPR becomes law, the list of requirements – which IDG Connect have touched upon earlier - and the large fines that come with non-compliance.

“They’ve put some serious teeth behind these regulations,” warned Rich Allen, vice-president, Ipswitch. Up to €20 million ($23 million) or 4% of global revenue - whichever is greater - for the most serious breaches. In the UK, the current maximum fine for data privacy is £500,000 ($723,000). “I think every company will be affected.”

In a speech on data privacy, Lord William Hague called it “certainly well-intentioned” with “good objectives”, while Iain Bourne of the UK Information Commissioner's Office called certain parts of it “clunky”.


How to prepare

So what can companies do to prepare for the incoming changes? With two years until the rules come into force, now is the time to start planning and training. As with any major change, proper preparation will involve a mix of people, processes, and training. Organisations that already take security seriously will have far less work to do than ones that are bad at security, we’re told.

Companies need to get their timelines in place and work out which tasks will take the most time, and start there so there is proper opportunity to implement and test systems.

Reviewing your current contracts is also strongly advised. Understanding what contracts you have with which vendors is crucial to understanding what work needs to change between now and 2018. CSPs which understand and appreciate GDPR will succeed, those that don’t will fall by the wayside.

Ipswitch’s Allen suggests the key technologies involved will be encryption, analytics & reporting, perimeter security, secure file sharing, and effective mobile device management.

The UK Information Commissioner's Office offers a free 12 step guide for preparing for GDPR, and is due to release a more in-depth guide in the future.


Brexit vs. GDPR

Despite the fact European organisations face one of the biggest data privacy upheavals this millennium, the prospect of the UK leaving the European Union makes the issue much more complicated: Would GDPR still apply in the event of a Brexit? Is it even worth preparing for UK companies?

Lord Hague suggested that even in the event of a Brexit, GDPR could still apply from 2018 until the date the UK actually officially left the EU.

“A Brexit will not happen in the data protection world,” said Eduardo Utaran, a partner at Hogan Lovells. “It’s the only way to continue to be part of the digital economy in a lawful way.”

Both Utaran and Iain Bourne of the UK Information Commissioner's Office suggested even if the UK did leave and abandon GDPR, the UK will develop its own data privacy laws that offer similar levels of protections and requirements.


The future

While the news has a regular stream of stories on data breaches, we can expect a lot more once mandatory disclosure comes into force. Hogan Lovells’ Utaran says there is currently a culture of discretion and predicts where currently one in ten breaches are disclosed, that figure will jump significantly.

The ICO’s Bourne warns that we “will be surprised at the scale of breaches” once disclosure is mandatory, and could result in far more consumer activism and people demanding businesses to work harder at privacy and security.

While there is a big focus on the work and fines related to GDPR, it doesn’t have to been seen as a negative. Quentyn Taylor, director of EMEA information security at Canon believes it is an opportunity to “give security a seat at the table” and get more in the way of budget and resources.


Also read:

Is the EU-decreed DPO the next big IT role?

EU finally approves GDPR

EU GDPR: Why are firms lagging on preparation?

EU privacy law to require opt-in and make data processors share in responsibility

It’s UK versus Europe in the battle over data protection