GDPR news: GDPR turns six months old

More GDPR News

EU flag in front of building

02/02/2018: Most enterprises have no data-breach notification plan

A quarter of businesses will not be able to meet the GDPR's 72-hour data breach notification window, while only 18 percent have a plan in place to notify customers if their data is breached, a report by Tripwire has revealed.

The firm said in its survey of 406 cybersecurity professionals, less than 25 percent said they would be able to let authorities know their systems had been breached within 24 hours. Less than three quarters said they were "somewhat prepared" to notify customers data had been breached and would be forced to rectify the issue "on the fly" if they were to suffer a breach, which is a far from idea' strategy.

"When it comes to cybersecurity, it's short-sighted to figure things out on the fly,'" said Tim Erlin, vice president of product management and strategy at Tripwire.

"The majority of data breaches and security incidents can be avoided by following basic security steps and implementing tried and tested foundational controls. With GDPR coming into effect this year, running a business without a fully baked plan is really asking for trouble."

Although over a third thought they would have no problem finding where customer data resides, saying their knowledge of its location is "excellent", it's worrying that more security professionals don't know where their customer data is stored.

"There are plenty of tried and tested frameworks available from governing bodies in the cyber security space that can help organizations who feel like they're struggling to prepare for a security incident and more specifically, GDPR," Erlin added.

"If you are an organization subject to GDPR and as the rules apply to all companies worldwide that process personal data of European Union (EU) data subjects, that will be the majority of global businesses - you are not alone. Start researching for resources that cater to your needs now to help you prepare, so that you aren't hit with a big fine come May 2018."

23/01/2018: A quarter of London's firms are unaware of GDPR

One quarter of London businesses are entirely ignorant of GDPR, new research has discovered just four months before the EU's new data protection rules apply in the UK and other member states.

The legislation, which will impose higher fines on organisations found to be careless with people's personal data and will hand citizens more control over their information, will apply from 25 May.

But the London Chamber of Commerce and Industry (LCCI)'s survey of 500 of the capital's firms found that 24% are unaware of the incoming legislation, while one in three believe it isn't relevant to them.

In fact, the legislation applies to any organisation using the personal data of EU citizens (including employees), or any firm processing that data on another company's behalf.

LCCI's chief executive, Colin Stanbridge, said: "Businesses that are already vigilant about their data protection responsibilities are unlikely to be unduly burdened by the new legislation.

"However we would urge businesses to take this opportunity to review their processes to see if they need to make any changes to be compliant."

The survey found that just 16% of businesses aware of GDPR believe they are prepared for it.

But the penalties for non-compliance are potentially high - while data protection authorities like the UK's Information Commissioner's Office (ICO) are currently able to issue fines of up to 500,000 for data protection breaches, under GDPR this will rise to up to 4% of a firm's annual turnover, or 20 million.

These fines must be proportional to breaches, but regulators are likely to come down harder on firms that have made little effort to comply with the rules.

You can read about how to prepare for GDPR here.

03/11/2017: UK data watchdog opens GDPR helpline for SMBs

The Information Commissioner's Office (ICO) this week launched a helpline for SMBs preparing for the General Data Protection Regulation (GDPR).

The phone service, which opened on 1 November, is designed to address the specific data protection challenges facing the estimated 5.4 million SMBs operating in the UK.

With staff on hand to answer questions, the service acts as an extra resource to the ICO's existing guidance, with an emphasis on helping people with obstacles particular to their businesses.

Information Commissioner Elizabeth Denham said: "Small organisations want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start.

They may have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do.

"Our new phone service and all the other resources already on our website plus even more advice and guidance yet to come will help steer small businesses through the new law."

The ICO already offers firms of all sizes a 12-step guide to preparing for GDPR, which comes into effect in the UK from 25 May 2018, giving people more rights over their data, and imposing tougher fines on organisations that fail to protect it.

The data protection regulator is also revising its SMB toolkit in order to help firms fill any gaps they have discovered in their preparation for GDPR. Around 9,000 businesses a month have used the toolkit since January 2016, while the ICO\'s 12-step guide has been viewed 73,000 times since May 2017.

06/08/2017: One in five large UK businesses are completely in the dark when it comes to the application of GDPR in their organisation, according to new data.

Citrix's survey of 500 IT decision makers in such organisations found that 20% didn't know if their company's policies are compliant with GDPR.

One of the major problems facing these businesses is data sprawl. The study found that 21% of respondents use more than 40 systems to manage and store personal data almost double the national average with 47% saying they share this information with other organisations. Of that 47%, nearly half share the data with more than 50 companies.

While the majority said they retain complete control of this data, 15% said they don't.

These figures present several problems. First, GDPR requires businesses to state a legal basis for collecting people's data, which can range from getting a person's explicit consent, to complying with a legal duty. Second, EU residents have the right to access all the data held about them and also to request their data is removed. Both of these may be a challenge when so many systems are used and if the data is no longer in the full control of the initial data controller.

Another issue raised by the survey is understanding data ownership a key tenet of GDPR. Only 27% of those questioned thought personal data belonged to the customer, with 50% thinking it belongs to the organisation holding it.

Chris Mayers, chief security officer at Citrix, said: "Ensuring data privacy processes and systems are in place - from privacy by design to privacy by default requires an organisation to know exactly where their data is and who can access it. Yet many are losing sight of data, spread across multiple systems and shared with multiple partners, while also struggling to scale up to store and control the huge influx of personal customer data they receive today."

"Businesses must recognise that more centralised application and data storage environments will make it easier to meet technical compliance goals. This centralisation can be achieved in various ways, from introducing unified access controls across on-premise and cloud services with single sign-on to rolling out centrally-managed virtual workspaces. However it is done, controlling data sprawl and recognising enterprise accountability around data privacy will be key to GDPR compliance," he added.

20/07/2017: The Cloud Industry Forum (CIF) has responded to what it sees as "uncertainty" in how authorities will determine data protection compliance by drawing up its own standards.

The EU General Data Protection Regulation (GDPR) comes into force across the soon-to-be 27 nation bloc 25 May 2018, by which point any organisations handling EU residents' data must be compliant or face tough fines for breaches, of up to 4% of their annual turnover or 20 million, whichever is greater.

BCIF is the latest organisation to air doubts that data protection authorities have a clear idea of how companies can achieve compliance, however, with no clear standards yet drawn up.

"It's incumbent on cloud service providers (CSPs) to be able to demonstrate they have the required capabilities," said CIF CEO Alex Hilton.

"However, in many ways, the GDPR is an abstract and non-prescriptive piece of legislation and the absence of a concrete standard makes it difficult for certain companies to be sure that what they have put in place is compliant."

As a result, CIF has updated its Code of Practice for CSPs to ensure they're compliant with the stricter data protection rules, which hand EU residents more control over their personal data and require organisations holding or processing the data to be transparent about what they're using it for.

Under GDPR, companies using cloud services are still liable for any breaches of the new rules, even if the breach is the CSP's fault, so understanding that a CSP is compliant will be an important factor in deciding whether to sign a deal with them.

Frank Bennett, CIF deputy chair, said: "Customers selecting a new provider will include GDPR in their due diligence. For service providers, GDPR is a mission-critical event for the retention of existing customers and winning new customers and the CIF Code is there to provide assurance to customers."

Collaboration platform Box's VP of compliance, Crispin Maung, told IT Pro earlier this year that data protection authorities "are struggling with figuring out what GDPR compliance really means and how they are going to measure [it]".

Meanwhile, retailer John Lewis and bank HSBC both criticised the UK data protection authority's guidance so far on GDPR compliance, calling it "woolly".

31/05/2017: Only 30% of the UK's businesses have started preparing for the GDPR, despite only having 12 months until the rules become law, a report conducted by YouGov and commissioned by law firm Irwin Mitchell has found.

The organisation questioned 2,000 businesses about how they are preparing for GDPR, which comes into force on 25 May 2018, and the findings were worrying.

Not only are the majority of firms not ready for the changes to data protection law, but 71% haven't even realised they will be heavily fined should they not follow the guidelines - breaches will cost companies up to 4% of their annual turnover or 20 million, whichever is higher. This is despite 18% of businesses saying the size of the fines are likely to put them out of business and 21% reporting that being fined on such a high level would force them to make redundancies.

The research also exposed that a quarter of businesses would be unable to detect a breach if it happened, showing how ill-prepared some UK organisations are for GDPR to come into force.

"These results are concerning because with next May's deadline fast-approaching and with so much at stake, our study reveals there's a very real possibility that the majority of organisations will not be compliant in time," Joanne Bone, partner and data protection expert at Irwin Mitchell, said.

She added that the reason businesses are so badly prepared is because they don't think it will have much of an impact on their companies. This misconception is supported by the survey, which revealed that almost a quarter believe because their business operates in the consumer space, it won't be affected by the new rules.

"Contrary to popular belief personal data is not just consumer information," Bone said. "It is hard to think of a business today that does not use personal data. Whether you have employee data, customer data or supplier data if the data relates to an individual you will be caught by the new data protection laws."

25/05/2017: One year to go until GDPR applies in the UK

There is just a year to go for businesses to prepare for new data protection rules that hand EU citizens more power over their personal data and promise large fines for companies that transgress.

The General Data Protection Regulation will apply to any business handling or processing EU people's personal information from 25 May 2018 and does not require any additional legislation from the UK to come into force.

Instead, companies must ensure their data governance policies are ready for the deadline, with financial penalties of up to 4% of global turnover, or 20 million, for those who are found not to comply.

Information Commissioner Elizabeth Denham warned UK businesses during a Wall Street Journal event: "If your organisation can't demonstrate that good data protection is a cornerstone of your business policy and practices, you're leaving your organisation open to enforcement action that can damage both public reputation and bank balance."

However, she added: "But there's a carrot here as well as a stick: get data protection right, and you can see a real business benefit."

But 75% of 500 IT decision makers from the UK, US, Germany and France told cyber security firm Varonis that they will struggle to be ready by the deadline.

Meanwhile, nearly half of UK IT leaders said they expect a UK firm to be the first charged for breaching GDPR.

Another survey by the Direct Marketing Association (DMA) found that while 54% of 215 businesses believe they are on course to achieve compliance, that figure has fallen from 68% since February, and 24% are yet to draw up a formal GDPR strategy.

DMA CEO Chris Combemale called for better guidance from the Information Commissioner's Office (ICO), which is responsible for enforcing GDPR in the UK.

"Recent announcements and guidance from the ICO have caused much concern, that the interpretation of the laws is overly strict, penalising the companies most committed to best practice, honesty and transparency," he claimed.

"What the industry needs is balanced and fair guidance from the ICO and Article 28 Working Party [a group representing the EU's data protection authorities]. With just 12 months to prepare we need this guidance urgently if we're expected to be ready in time."

The ICO offers a variety of guidance online for GDPR compliance.

Jason Hart, CTO of data protection at digital security firm Gemalto, warned that time is running out for "businesses to get their house in order before GDPR comes into effect".

He added: "Once that happens, we'll start to see the true picture of data breaches within Europe and the impact that will have on the reputation of a multitude of businesses.

"Companies need to realise that being breached is an inevitability and customers will not put up with those that can't protect their data. In order to be compliant, business must follow the six-step process outlined in the legislation."

Lawyer Ashley Winton, who is the chairman of the UK Data Protection Forum, concurred, saying: "In the UK there will be no grace period for compliance with the GDPR so with 365 days to go and counting, now is the time for businesses to re-assess their approach to becoming compliant."

"Many companies are undertaking a detailed GDPR gap analysis or sophisticated data mapping, and whilst they can be useful tasks in themselves, it is worth re-examining them to see if they can be simplified in order to bring forward key remediation tasks," he said.

"GDPR compliance will be greatly assisted by alterations to existing databases and technologies, and so in the GDPR compliance triage, an immediate focus on technology could be a lifesaver."

The business benefits of GDPR compliance

But while the risks for not complying by 25 May 2018 are clear, there are also benefits for companies.

The ICO has previously mentioned that complying with the GDPR ahead of next year will improve customer trust, and experts believe there is plenty to be gained from striving to comply in time.

Cooley London law partners Sarah Pearce and Ann Bevitt said: "For organisations willing to think outside the box, new(ish) concepts such as privacy by design, profiling and data portability present the opportunity not only to innovate but also to build customer trust."

"A correct GDPR implementation will help businesses manage data privacy risk, implement good record management practices, streamline business processes, increase resilience as well as benefit from cost savings and ultimately a more competitive market position," added cloud IT consulting firm Sungard Availability Services' senior consultant, Rogelio Aguilar.

"To take advantage of these opportunities and mitigate risk, senior management must champion GDPR as a strategic initiative."

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.