UK businesses with EU connections, whether in the form of European Union operations, data pertaining to customers living in the EU, or which simply have data that passes through the EU in some way, will have to be ready for the official passing of the EU General Data Protection Regulation (GDPR) into law later this year.
Although it remains in doubt whether it will be finalised before the end of the year, what isn’t in dispute is the level of penalty for noncompliance: fines will be up to 5% of a company’s annual global revenue. The new law has implications wider than the EU, and will include US companies such as Google and Facebook. Karsten Kinast, an analyst with global security analyst firm KuppingerCole, is urging all businesses with European customers to get used to “privacy by design” fast.
He told Computer Weekly journalist Warwick Ashton: “Privacy by design means making software operate according to the law, which in the case of the new data protection regulation means making it easy for access rights to be exercised and for personal data to be erased after a certain period.”
However, according to Information Age, there are other practical measures that should be taken right now, such as barring employees from using ad-hoc file sharing solutions, many of which are consumer-oriented and have very rudimentary audit, encryption and user-authentication controls. A single mobile file sharing solution that’s clearly approved for enterprise use should be endorsed.
Data security processes will now need to include built-in remote monitoring (billions of devices are now mobile gadgets, making them scattered repositories of potentially sensitive data and content), as well as logging and wiping capabilities. You’ll need 24/7 security wherever your employees happen to be.
Cyber security, in fact, is going to loom much larger for all companies holding digital data; some will be required under GDPR to appoint a Data Protection Officer, a kind of in-house data tsar responsible for driving all data security decisions.
Last but not least, staff are going to need to be brought aboard the new data security ship. That may involve security training for mobile workers.