One of the big surprises from the UK’s Queen’s speech was the announcement that the UK government is on track to implement the General Data Protection Regulation (GDPR).
This new EU data protection regulation will come into force from May 2018. Its directive is to both protect and allow people to have more control over their personal data and have a clearer regulatory system that is enforceable in a court of law. In the UK this will update the existing legislation including the UK Digital Inclusion Charter. For the public, an example of how this will be of benefit is the right for people to demand social media firms to delete their data once they turn 18 years old.
For businesses that share data within and from the EU, the responsibility of enhanced cyber-security is clearly placed on the organisation. With the predicted 25% growth in malware for 2017 alone, this threat continues to manifest with the most recent being the National Health Service cyber-attack. Under the GDPR a data breach could result in huge fines of for companies up to 20 million euros or 4% of their annual worldwide turnover.
With a threat of a penalty hanging over how companies distribute, store and delete data, they have no choice but to evolve their operations. Companies will have to show that they are up-to-date with the legislation and put into place systems of compliance. For larger global industries, a data protection officer and staff will be needed to manage and enforce the GDPR legislation.
Under the new rules, should a company suffer a data breach it must be reported with 72 hours. This applies to any company that handles EU citizens’ data and fines can apply outside the EU countries. Not even Brexit can save the UK from GDPR rules. A digital attack on a company’s data base that ends up in the press, requires a PR strategy to manage both the public and stake holders concerns about loss of data. Stating that you are fully GDPR compliant may help restore confidence.
There clearly appears to be a need for more data protection officers with consultants and legal firms already advertising in the Google search results offering GDPR assessments, regulation courses and compliance guidelines. For Information Security professionals looking for professional development challenge, you can now apply to become an EU GDPR certified officer. Overall the outcomes of this legislation may result in more jobs, greater data protection and increased privacy for individuals’ data.