High-profile data breaches are becoming increasingly routine.
Media coverage of events like the massive TalkTalk hacking scandal have opened the public’s eyes to the insecurity of their private data in the hands of enterprises, though they aren’t the only ones who have taken notice. Regulators across Europe have taken it upon themselves to ensure these breaches don’t become the norm, putting more burden on the companies who hold our sensitive data.
Having been adopted in April, the European General Data Protection Regulation (GDPR) is expected to make a monumental impact across the European Union when it comes into full effect in 2018. The new regulations will affect all businesses with operations within the EU, regardless of where their head office is located.
This means that, post Brexit, UK based businesses are urged to become familiar with the new regulations and they must be prepared when they come into effect, the vote to leave the EU will not change this.
The most obvious change is that it will increase the penalties and fines associated with non-compliancy and for suffering data breaches. Administrative fines will be set at a minimum of two per cent of global turnover, though some offenders could face fines as high as four per cent.
The significantly increased fines alone will bring headline grabbing figures usually seen in the US.
The regulations also include a public breach notification clause, which will require companies who fall victim to a data breach to notify regulators within 24 hours of discovery. In many cases, regulators will also be required to release the names of these companies, for the sake of public safety.
This will likely result in companies facing irreparable reputational damage, decrease share values, erode client trust, reduce employee allegiance and defer business to competitors – adding a tremendous impact on top of those already faced by companies who have been the target of a data breach.
The cost of aligning to the new regulations is unpredictable.
Additionally, non-EU organisations may also need to appoint representatives within the EU in order to comply with them. There are also considerations that organisations hire data protection officers to make sure the regulations are complied to, introducing even more cost and complexity to the equation.
With the new regulations having been adopted in April, the two years allotted to companies to achieve compliance are already beginning to run out. Given the complexity to align, it is recommended that organisations take a much more proactive approach sooner, rather than later.
In order to avoid facing heavy fines, or worse, being publically named as untrustworthy, businesses need to ensure they remain in control of their systems and prevent the threat of a data breach.