Next year, the General Data Protection Regulation will dramatically change how much of our data is processed throughout European businesses. Companies, though, are slow to adapt.
There are numerous changes afoot in EU business, with the General Data Protection Regulation (GDPR) realigning privacy rules and insisting data protection officers be installed at all public authorities as well as companies that operate with the “regular and systematic monitoring of data subjects on a large scale”.
Beyond that, it’s throwing in a number of punitive measures for companies found to be flouting rules that are in place to protect the rights of EU citizens. These include penalties at up to 4pc of a company’s turnover in extreme cases, with the number more than trebling when GDPR comes fully into effect.
These punitive deterrents are enough to make most CEOs squirm, one would have thought. Why, though, have companies acted so slowly to date?
In a survey of thousands of IT professionals in the UK, 44pc said they were aware of data breaches at their companies, 68pc had lost sensitive data in the process and 80pc said their company was vulnerable to an attack. Despite this, more than half are unaware of GDPR at all.
The regulation comes into effect long before the UK leaves the EU, so heel-dragging seems quite the oversight.
In Ireland, things look a bit better. In a recent survey of 200 IT professionals, 80pc were in companies that have already appointed a data protection officer. The vast majority of these come from IT backgrounds, though, which could prove troublesome.
But on a grander scale, GDPR adoption seems a confused mess. SAP, the German software giant, recently raised its own concerns on the incoming regulations, claiming that the penalties were too high, “especially for just a single violation”.
Life is a drag
Bernd Leukert, head of products and innovation at SAP, told the Financial Times: “If you have 25 violations, your entire revenue is gone,” he said, adding that this would act as a drag on European start-ups.
This response has not gone down well in data privacy circles, with Daragh O’Brien, MD of Castlebridge Associates and data protection advocate, calling Leukert’s attitude “bunkum”.
The violations Leukert refers to constitute “serious breaches of fundamental human rights principles”, large enough to be dealt with separately, he said.
In addition, each breaches would have to be so large “that they cannot be combined into a single prosecution, and for which the organisation is unable to demonstrate any mitigating factors or proactive data governance controls for privacy”.
“That is the privacy equivalent of drinking a case of wine, driving a car with bald tyres and no brakes the wrong way down the M50, at 140kph, while taking selfies and tweeting about it on your phone,” added O’Brien.
“In such a case, we would need to question if the organisation and its management should be let handle any data ever again.”
Get in line
Earlier this month, the Information Security Forum (ISF) discussed the need, in an immediate sense, to get in line and prepare for GDPR.
Calling the changing rules the biggest shake-up of global privacy law in more than 20 years, the ISF pulled no punches in detailing the importance of playing ball.
“The GDPR is putting data protection practices at the forefront of business agendas worldwide,” said Steve Durbin, MD at ISF, who added that its scope is unmatched by any other international law.
“For most organisations, the next 18 months will be a critical time for their data protection regimes as they determine the applicability of the GDPR, and the controls and capabilities they will need to manage their compliance and risk obligations,” he said.
With major companies voicing their concerns over the business practicalities, this may prove a rockier road than many a legislator and data privacy advocate may have hoped.
O’Brien likens the current shift in public opinion in terms of data privacy to similar attitudinal changes towards car, toy or food safety in previous years. Consumer demand, backed by legislative penalties, is changing privacy in a similar way, he said.
“However, organisations and governments need to bear in mind data privacy is a matter of fundamental human rights and should not be an afterthought,” he said.
“History is full of business models and ways of working that were historically acceptable but are now out of favour or illegal, particularly where they impacted on the rights and freedoms of others.”