Your guide to the UK Security Industry

One year to GDPR

25-May-2017

The new European Union general data protection regulation (GDPR) is due to come into force in the UK, regardless of the 2016 Brexit referendum vote, in one year, on May 25, 2018, replacing the current UK law, the 1998 Data Protection Act.

IBM Resilient CEO John Bruce says: “GDPR is ushering in some of the most important changes to European data privacy regulations in twenty years, much of it involving policies and documentation that are difficult to improve with technology.” IBM Security is launching new GDPR capabilities to its Resilient Incident Response platform (IRP).

In a study by Blancco Technology Group, the United States (13 percent) and United Kingdom (12 percent) are the two countries with the second and third highest percentages of respondents who don’t know where all of their customer data is stored. For French organisations, however, the problem is somewhat worse with 20 percent saying their confidence level in their ability to find all customer data is low – ranging from extremely unconfident to slightly unconfident.

Richard Stiennon, Chief Strategy Officer, Blancco Technology Group, says: “If an organization cannot find their customers’ data, how will they be capable of erasing the data and complying with the EU GDPR’s requirement? Once they do finally locate their customers’ data, the next step is erasing the data permanently so that it can never be recovered. But as our study reveals, it’s quite common for organisations to use insecure and unreliable data removal methods, such as basic deletion and free data wiping software, which further undermines their security and compliance to EU GDPR.”

Volumes of data handled by telcos are growing fast, and the pressure is on to minimise breaches, a credit checking agency points out. Steve Martin, Data Protection Officer at Equifax, says: “Mobile data traffic is set to increase seven fold between 2016 and 2021, and telcos need to work hard to ensure their defences can withstand attempted hacks. The one year countdown to the implementation of GDPR brings an even greater responsibility to ensure security is first class.

“A data breach under the regulation may result in heavy fines of up to either 4pc of global revenue or 20 million euros, whichever is higher. The financial risk is significant to telco operators. Strategies need to be implemented to ensure appropriate management of data, including how it’s transferred, shared, stored and recovered.

“At the heart of the change is more transparency for consumers; companies must provide clear communication detailing how they manage and protect data from the outset. To avoid confusion, win consumers’ trust, and ensure data can continue to be used effectively, all parties in the data sharing chain need to work together to agree a common approach for privacy notices.

“The financial penalty for a breach is high, but telcos mustn’t lose sight of the benefits of GDPR. It brings an opportunity to improve the public’s understanding of how their information is used and kept safe, and their rights to access, control and correct information held on file. To ensure this is achieved, companies must strike the right balance between compliance and a consumer friendly approach.”

Adam Nash at Webroot says: “With 12 months to go it’s clear that SMBs in particular need to urgently focus their attention on both this issue and their wider cybersecurity posture. Webroot has found that despite 81pc of UK SMBs being aware of the regulation, 20pc of them have not yet started to prepare for GDPR, showing that SMBs aren’t taking compliance seriously enough.

“The fines and sanctions that can be levied for failure to comply means this needs to be a focus for SMBs. They must also consider the business impact if they are working with larger organisations that expect their suppliers to demonstrate accountability and compliance under GDPR.

“Webroot also found that three quarters (73pc) do not believe customer data will be any safer due to GDPR, and 51pc thought they weren’t at risk of cyberattack. This underlines the lack of understanding that prevails in SMBs toward cybersecurity, despite huge attacks such as WannaCry making the headlines.

“A number of security measures should be considered by SMBs preparing for the legislation. Firstly, they should ensure that they are minimising the risk of falling victim to cyberattack by using the most up to date security measures. Businesses can further help themselves by creating an information security policy that includes data protection measures, and by making sure that any personal data is encrypted. Lastly, appropriate measures should be in place to alert security teams of any problems, so they can act quickly to remediate them.”

At the annual trade show InfoSec 2017, DataRaze will unveil its data asset destruction machine. Businesswoman Jan Smith is the founder and CEO of IT Asset Disposal organisation, EOL IT Services (www.eolitservices.co.uk). With GDPR, Jan identified an opportunity in the data destruction market.

Laura Cooper, Client Services Director at DataRaze, says the machine delivers auditability by using biometric, photographic and video evidence to record the destruction of a data asset. She says: “The reality of changing regulations means that taking ‘privacy first’ approach to safe guarding information is crucial. From staff awareness to data storage and disposal – the safety and security of sensitive information should be a top priority. A secure approach to data disposal should already be in place to meet existing requirements; however, the arrival of GDPR is bringing data disposal into sharp focus and it will be essential for organisations to have a clear, auditable approach to destroying data.”

http://www.professionalsecurity.co.uk/news/interviews/one-year-to-gdpr/