General Data Protection Regulation EUROPE’S NEW DATA PRIVACY LAWS ARE YOU AS READY AS YOU THINK?
General Data Protection Regulation
EUROPE’S NEW DATA PRIVACY LAWS
ARE YOU AS READY AS YOU THINK?
General Data Protection RegulationGDPR
THE GDPR – A NEW CHALLENGE FOR THE IT SECURITY PROFESSION
The EU General Data Protection Regulation (GDPR) is one of the most significant developments in data protection policy and regulation for years. The IT security profession is slowly starting to recognise the full extent of the changes to the processing of personal data ahead of the GDPR coming into force in 2018.
Symantec and research firm Coleman Parks, conducted a study into how UK & Ireland organisations are prepared for this wide-ranging legal framework by questioning 260 CISOs from organisations with 1,000+ employees.
General Data Protection RegulationGDPR
WHAT COULD POSSIBLY GO WRONG? The research shows those in charge of IT Security in UK and Ireland think they are well aware of the wide-ranging impact of the GDPR on their organisations.
The top three issues were the transfer of data, public awareness and loss of brand reputation after a breach and the disruption of the business.
Top 5 GDPR issues impacting UK and Ireland businesses
Data transfers
Public awareness and brand reputation in case of a breach
Business disruption / Inability to trade during privacy incidents or investigations
Fines and legal costs of compliance and litigation
Ability to process data for your business model
43%
38%
33%
32%
31%
1
2
3
4
5Of only slightly less concern were fines and costs (31%), despite the fact these could range up to 4% of annual turnover or €20 million.
General Data Protection RegulationGDPR
.
CONFIDENCE AMONG UK AND IRELAND ORGANISATIONSDespite the scale of change to processes and systems required to comply with the GDPR, 82% of UK and Ireland organisations believe they will be fully prepared for the GDPR within the next five months.
Prepared Likely to be fined
2% 2%In 1-2 years In 2 years
or more
40%In 2-5
months
14% 14%In 1 month In 6-12
months
28%Fully prepared
As part of these preparations, over half (47%) already have appointed a Data Protection Officer (DPO). Also, despite lower IT budgets and skills shortages, 51% of the respondents believe they have full authority and budget to make the changes they need to be more resilient.
General Data Protection RegulationGDPR
GDPR RESPONSIBILITY – WHO’S ON THE HOOK?GDPR is on the board’s agenda for 59% of organisations. Overall 38% of boards received compliance reports from others including the CISO, while for 3% GDPR was not yet a board issue.
However, when it comes to public announcements following a cyber breach that affects GDPR compliance, the responsibility is shared across a variety of roles such as the CISO (30%), CIO (20%) and DPO (18%).
Top titles responsible for managing the series of announcements in case of a cyber breach
Overall In large enterprises
30%
12%
20%
13%
18%
4%
40%
9%
15%
10%
15%
30%
CISO
Chief Data Officer
CIO
CEO
DPO
Head of Legal
General Data Protection RegulationGDPR
WHAT ABOUT OUTSOURCING? Part of the requirements to comply with the GDPR is to have a clear view on how personally identifiable data is dealt with. It is therefore surprising to see third party process engineering (such as payments processing, credit checking etc.) being the most popular aspect of the GDPR to be outsourced (56%).
Third party process engineering
Policy creation
Data classification
Preperation
Certification
DPO role
Ongoing compliance
Incident Response services
Parts of the GDPR preparation to be kept in-house
Parts of the GDPR preparation to be outsourced
Perhaps more understandable was the use of external experts for certification (41%), ongoing compliance (38%), policy creation and preparation (32% and 31%).
44% 56%58% 42%59% 41%
62% 38%66% 34%68% 32%69% 31%71% 29%
General Data Protection RegulationGDPR
ARE YOU FAILING TO PREPARE OF PREPARING TO FAIL?Given the degree of confidence asserted by CISOs in this study, it is surprising to see how many would currently fail an important security requirement of the new law.
are fully equipped to detect, report, remedy and recover from data breaches.
are only able to report the breach within 72 hours’ notification requirement that applies to notifying regulators in the GDPR.
should be able to report the breach but not within the 72 hours’ notification requirement that applies to notifying regulators in the GDPR. They are liable to be fined.
will improvise as and if the situation presents itself.
don’t expect to suffer a data breach at all
37%
37%
20%
4%
1%While 37% are fully-equipped to detect, report, remedy and recover organisationally from a breach, 37% only feel able to report it within 72 hours. Worst of all, 4% will improvise in a breach situation and 1% are confident they would never suffer a data breach.
General Data Protection RegulationGDPR
FIVE STEPS TO GET READY FOR THE GDPR
For more insights, click here: http://www.symantec.com/en/uk/data-privacy/
Treat GDPR compliance as a board-level issue for organisations. Form a governance group under the direction of the CISO, CIO and Data Protection.
Understand and map the data you collect and process, directly and via third parties. Devise and test the mechanisms to delete data with confidence.
Assess your organisation’s current data retention policies and whether the level of security offered by and procedures offers adequate protection against unauthorised processing and/or data loss.
Take a ‘Privacy by Design’ approach to re-engineer processes and policies which involve the processing of personal data to ensure compliance happens by default.
Urgently review your breach notification processes to assess whether your organisation can investigate the extent of any compromise within the 72-hour notification deadline. If not, review your Cyber Insurance coverage once again, or be ready to pay large fines.
1
2
3
4
5
Symantec recommends following these steps:
General Data Protection RegulationGDPR
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.
Symantec EMEA Headquarters 350 Brook Drive, Green Park, Reading RG2 6UH
Tel: +44 (0)870 243 1080