Businesses across Europe are steadily increasing preparations for the new European regulation on the protection of personal data (GDPR). For those handling customer data of any kind, this will mean a major transition and between now and May 2018; companies and employees will need to make sure they review their procedures and have everything ready to comply with the regulation, and the new demands it makes, before it starts raining sanctions.
The data protection landscape has changed so much since earlier legislation was introduced, which means that cybersecurity, liability of data collection entities, and the new mandatory procedures are being regulated against the backdrop of digital transformation.
We now operate in largely paperless circumstances and this has a particular impact from a financial and legal perspective. But it is the evolution of the cybersecurity threat that has had the biggest impact on our personal data, and which the GDPR aims to combat through better data management.
Why is GDPR necessary? Quite simply because old policies have been overtaken by the speed and breadth of the digital revolution, and nowhere more so than in the area of cybersecurity. There has been a worrying lag between policymakers’ understanding of cybersecurity and the pragmatic reality of new threats facilitated by the digital revolution and its paperless structure.
From the 90s onwards we have seen mass digitisation and the democratisation of the Internet. In 1995 only 1% of the world’s population was connected; today, according to the International Telecommunication Union, that figure stands at around 50%.
The EU Directive that was approved in the mid-90’s to govern the emerging digital revolution, and particularly digitised personal data, could not have foreseen the rapid take up of technologies such as cloud computing or SaaS (Software as a Service). Apart from an amendment to this directive later the same year, this issue was not addressed again until 2011, when a think tank was set up and the EDPS (European Data Protection Supervisor) started the process for reforming the legal scope of personal data protection. It was no longer fit for purpose.
Insidious creep of cyber threats
At the time that data protection regulations were enforced, organisations were already doing battle with cyber threats, primarily from viruses and spam. But by comparison with the threat landscape of today, these were minimal and quite straightforward to manage. In recent years, however, cybersecurity in relation to personal data has taken an entirely different approach, in part enabled by the migration of companies onto the cloud.
The scandal that broke in 2013 shook the status quo when Edward Snowden accused his employer, the US National Security Agency, of large-scale espionage, highlighting that this was being targeted at European personal data in particular. This was further compounded by the campaign by law student, Max Schrems, against Facebook, demanding to know what it was doing with the personal data in its possession. After Edward Snowden’s revelations, Max Schrems filed another lawsuit against Facebook, as well as Apple, Skype, Microsoft and Yahoo!, accusing them of collaborating with the NSA. In October 2015, the EU Court of Justice ruled in his favour.
Since then, data privacy scandals have hit headlines at an alarming rate, from the blue-chip hacking probe amongst law firms, financial services and insurance companies in the City of London to the fine imposed on a holiday insurance company after fraudsters accessed 5,000 customers’ credit card details, not to mention, the hacking of the Ashley Madison dating website. Ironically this last event was carried out specifically to highlight that the company was not removing members’ private data, even when specifically asked to.
By 2015, the Global State of Information Security survey showed a 38% year-on-year increase in corporate security incidents. This figure rose to 56% for intellectual property thefts and hacking incidents. In the UK, the Office for National Statistics (ONS) in 2015 declared cybercrime to be the leading threat for British citizens with more than 6.8 million catalogued incidents.
The goal of the GDPR, therefore, is to provide a set of simple and effective best practices to help align with regulatory compliance, to protect businesses from these sorts of attacks, but ultimately to protect personal data.
There is plenty of assistance for companies preparing for GDPR. Specialist law firms can provide guidance and there are even dedicated legal tools online. Consultants can offer analysis following an audit, which helps companies to better manage the digital transition while taking into account the constraints of the GDPR.
But given the role that cybersecurity threats have played in bringing GDPR about, perhaps one of the most important preparations for companies is to ensure they respect a commitment of compliance based on the audit. Responsibility lies with the organisation that collects and hosts the data to ensure it provides an adequate level of security to maintain the integrity of its data, so now is the time to take action.