A survey by Ipswitch showed that more than half of European companies do not know about legislation planned to unify data protection laws.
The EU General Data Protection Regulation (GDPR) is due to be adopted in 2015 and is designed to unify and simplify data protection across the European Union (EU). It stipulates that companies can be fined up to €100 million (approximately £80 million) or five percent of their global turnover – whichever is greater – in the event of a data breach, while individuals can invoke the “right to be forgotten” for a variety of reasons, such as switching to another service. The fact that it is a ‘regulation’ rather than a ‘directive’ means that it will be directly applicable to all EU member states without the need for national legislation.
Although the adoption date of the GDPR is not yet known, it is certain that changes are on the way and EU organisations should not delay meeting its requirements. However, the findings from Ipswitch’s survey of IT professionals cause some concerns.
- 52% of respondents admitted they were not ready for the GDPR.
- 35% confessed to not knowing whether their IT policies and process were up to the job.
- Only 12% of respondents felt ready for the change.
Not a high priority
- Only 13% said they planned to spend more time understanding and preparing for the GDPR.
- 26% said they wanted to spend more time reviewing and tightening security policies.
- 26% said they wanted to be able to spend less time on manual reporting and auditing.
GDPR awareness varies by country
German IT professionals proved to have most awareness of the GDPR, while Britain fell behind Germany and France. At the same time, the British were most likely to store personal sensitive data in the Cloud.
- 49% of the Germans surveyed correctly identifying that the GDPR stood for the General Data Protection Regulation.
- 36% of the French knew about the GDPR.
- Only 26% of the British surveyed were familiar with the regulation.
How to prepare for the EU data protection changes
Conduct privacy impact assessments
A privacy impact assessment (PIA) is a key risk assessment process outlined in the requirements of the EU General Data Protection Regulation. It allows the early evaluation of a business proposal to identify potential impacts on the privacy of the individuals involved.
The UK Information Commissioner’s Office (ICO) already recommends that PIAs are conducted to assess the privacy risks for all policies and projects involving the use, collection and disclosure of personal information, and the government’s Security Policy Framework mandates their use by all government departments.
In order to learn how to develop a privacy impact assessment procedure, implement the project process, monitor the results and take action where required, you can attend the IT Governance PIA workshop.
Manage privacy policies and procedures
Organisations must ensure that their privacy policies and procedures are accurate and up to date. They need to be documented, monitored and reviewed. Organisations will be accountable for these and the data protection authorities will be able to ask for them at any time.
For more guidance on documenting policies and procedures, refer to the Data Protection Act Compliance Toolkit.
Raise staff awareness
Ensure that your staff awareness and training policies and procedures are adequate to inform your employees about what is right and what is wrong.
The Data Protection Compliance Report found that nearly one third (32%) of all incidents came as a result of personal or sensitive data being inappropriately disclosed or sent to the wrong recipient by staff – the biggest single factor in data breach incidents investigated by the ICO.
Manage information assets
Organisations should regularly update their information asset register to clearly identify what data is held, where, how and why. According to the new “privacy by design” requirement in the GDPR, data protection should be baked into the development of business processes for products and services.
Appoint a data protection officer
Companies with more than 250 employees will be required to have a data protection officer and an impact assessment on specific risks, while all firms would have to publish contact information for a data controller.
Data protection and ISO 27001
Although the GDPR hasn’t been adopted yet, addressing the points outlined above requires time, so organisations should act now.
Adopting a holistic approach to information security will also help to meet data protection requirements. The international standard ISO 27001 addresses the information security elements of the majority of global privacy regulations, including the Data Protection Act, by providing a comprehensive framework for developing and implementing an auditable information security management system (ISMS). Find out how to get started with ISO 27001 here.
Additionally, IT Governance can provide detailed assessments of your data protection regime to ensure you are on track to comply with the GDPR when it comes into force. Find out more about our data protection consultancy service here >>