The New EU Data Protection Regulations: An Update
A few months back, we took a look at the new regulations proposed for the EU to protect data. It’s getting ever-closer to the end of 2015 and this means that there is just one year left until the finalised laws are fully enforced. Has your organisation educated itself on the new regulations, and are you ready?
The EU Data Protection Regulation (EUDPR) is being created to replace the now outdated legislation created 20 years ago in 1995; of course, technology has rapidly developed in that time and thus, our personal data has been moved into a progressively more dangerous technological landscape.
As of June, all 28 member states of the EU agreed to the new pan-European data protection laws. These 28 countries will now become a single digital union and it is expected that the digital economy within Europe will increase dramatically following the rigorous procedures and protection under the new regulations. The final figures for breach fines have been released: whilst the European parliament wished for fines of up to €100m or 5% of the company’s annual global turnover, a breach will cost a company up to €1m or 2% of the company’s turnover, as agreed by the Council of the European Union. Even so, these figures are worrying and an extraordinarily high amount for a company to pay. It seems imperative then that companies strictly follow the guidelines to protect themselves from data breaches.
Whilst it has been agreed that by early 2017, the EUDPR will be fully enforced, it seems as though it might happen sooner. There has been a push to get the regulations into law as soon as possible, with the Justice and Home Affairs Council meeting this October. The laws could be implemented as early as January 2016, so if your company is not yet ready for the coming new legislation, the time to act is now.
There are many things companies should be doing to prepare themselves, and the earlier this starts, the better. Here at Cardwave we have devised a list that will help your company be ready for the coming (if still uncertain) deadlines.
1. Locate data and define access
This seems to be the most important factor in preparing your company. Locating precisely where the data you hold is stored is vital and the new regulations will ask for organisations to have a clear understanding of their data’s physical location and the storage method used. This includes everything from cloud storage to data centres. It is important also to know exactly who has access to what data and how it is managed and shared by those people.
2. Educate the entire company on the new legislation
An organisation is totally responsible for the data it holds; it is responsible for how it is stored, secured, managed and obtained. Implementing your own framework that follows the strict parameters of the new laws is critical, and so too is ensuring that all members of staff understand the meanings of this framework and how to apply it to their working practises. Making sure to take note of the laws that are relevant to your company will be useful for creating the necessary framework.
3. Appoint a Data Protection Officer
The likelihood is that part of the new legislation will involve making it illegal to have a company of 250 employees or more without a Data Protection Officer. Whilst there are disagreements about the practicality of having this in some sectors – and whilst this may not necessarily becomes law – it seems good practise to appoint someone who oversees regulatory compliance within your company. Many large companies already do this as a matter of being transparent – and gaining trust with – their customers. The officer must be responsible for ensuring the company remains in-line with the legislation, but must be supported by a board. Outsourcing this position to a consultant is an option.
4. Understand the risks your company faces
Educating yourself on the potential risks and creating solutions to address them is an important part of the continuous self-auditing your company should be doing. To ensure that your company is protected from data breaches, it is best to be flexible to the future of technology and proactive against problems that may arise.
5. Put a portable device plan in place
An important aspect to the new legislation is ensuring that your organisation is using the right technology. A simple and yet effective way to store data safely is through encryption. USB flash drives are very commonly used in the workplace, and yet, the average company is often far too relaxed about data security and portable device use. Regardless, there are a huge amount of breaches every year that take place as a result of lost, stolen or discarded USB flash drives which have not been encrypted and thus, protected. Could your solution be SafeToGo™?
SafeToGo™ USB flash drives with SafeConsole provides a solution for this issue: through SafeConsole, flash drive use can be centrally managed by your company and includes a variety of features such as remote kill to disable lost flash drives, secure assistance for forgotten passwords and the ability to recover any lost data. SafeConsole server software provides organisations with full security and compliance alongside SafeToGo™, with password and hardware encryption to protect all stored information automatically.