Complying with the EU data protection regulation

Companies are not yet ready for the EU General Data Protection Regulation, which will apply from May 2018, experts say. From an IT perspective, there are three things businesses should not neglect.

Firstly, corporates need to understand which data is sensitive and thus needs to be protected. Data classification is essential because most information does not need to be protected – usually only about 10-15% of data has sensitive information about customers, business partners or intellectual property.

Following the data classification, the information labelled as sensitive needs to be encrypted.

Rui Biscaia, director of product management at Watchful Software, says: “Once you encrypt that data, you need to make sure that your third party cloud provider does not have access to something that is known as the master key for encryption, the key that is able to decrypt everything. You need to ensure that that master key is not hosted or owned by anyone other than you as a company.”

He adds: “Companies need to consider the GDPR in many different ways, but from an IT security perspective, if you are classifying and encrypting your data driven by that classification, and make sure you own that encryption key so that you can revoke access, grant access and not be at the mercy of anyone else that may have access to it, then you are pretty much covered. You can never be 100% protected against data breaches, but if you follow this recipe, you’ll be compliant with GDPR.”

Cloud exposure

As companies are gearing up for the introduction of the GDPR, Biscaia warns that they should not forget to take into account their exposure through cloud-based third-party suppliers.

“Under the GDPR companies are liable if data with personal identifiable information falls into the wrong hands. The organisation should therefore have some sort of control and understanding on how company data is being shared,” he explains.

“Third-party cloud providers may be using encryption to protect your data, but they may be forced to surrender that data if a governmental agency demands it. So you need to understand who is accessing your data at any given time and have ways to revoke access to that data if and when you need to.”

Most large corporates are aware of their responsibilities under the GDPR, although they are not yet ready for 25 May 2018, when the legislation will start applying.

Under the new rules, companies will have to notify the regulator within 72 hours of a data breach occurring. Within that timeframe, the company will need to understand what has been breached and how it has been breached, and they need to start formulating a response.

Lucien Mournier, underwriter, specialty lines at Beazley, says: “This requires some form of internal organisation as to how a crisis situation will be managed within a framed time that’s pretty short. Forensics will need to assist you immediately just to understand how wide the breach is. Many times companies will say ‘we know something has been breached, but we don’t know how much’, and finding out just how much is a big job just in itself.”

The cost of non-compliance

Fines for non-compliance with GDPR are high and could reach up to €20m or 4% of global turnover, whichever is the higher.

Insurance companies will be able to insure fines, but only where they are legally insurable. Mournier explains: “The insurability of fines is decided by individual countries. For example, in Italy you can’t insure fines, but in Spain you can. France has not taken a position yet, so we’re waiting for the regulator to outline what their mind set is on insuring fines.”

Member states have until 6 May 2018 to transpose the EU GDPR into national law. Until then, companies, law firms and insurers are waiting for the details of each country’s application of the new regulation.

“We are expecting that some regulators in some countries will want to make sure that they show GDPR has an impact, so the first fines might be big ones. It’s important that companies understand that that is also one of the risks, that the first fines might be a bit bigger than what you are going to see in the few years after that,” Mournier says.