The upcoming EU Data Protection Regulation
Depending on your specific industry and geographic location, there are several rules and regulations on data protection your company has to comply with. This is nothing new, as PCI, SOX, GBLA, PIPED, Basel II or HIPAA compliance have been around for some time. The Data Protection Directive (aka Directive 95/46/EC) is also nothing new as it was adopted by the European Union in 1995. Unlike a Directive that needs national legislation to implement, a Regulation will span across all EU member states. It applies to small and medium companies just like it does for multinationals. It also applies to any company that has information about any European citizen so anybody that is doing business within the EU will have to comply with it.
Let’s take a look at some of the other changes the upcoming regulation will bring and find out why we shouldn’t fear it.
A lot has changed since 1995 so why not the EU Data Protection Directive?
Back in ’95, the desired operating system was Windows 95. Today, if given the chance, most people would probably go for a Mac. A mobile phone was a nice to have in ’95 but an iOS or an Android smartphone is definitely a must have today. What about the preferred storage media in back in the day? It was definitely not the cloud.
Therefore, with so many changes in the IT industry, globalization, mobile workforces, mobile device fleets, BYOD, cloud storage and a lot of digital data, the EU Data Protection Directive needs a few changes. The Data Protection Regulation provides a helping hand for all the companies that have struggled to obtain management’s approval for security upgrades.
Most of the things come from common sense
One of the challenges is protecting personal identifiable information. It’s easy to understand why someone’s contact details, social security records, financial or healthcare records need to be protected. As individuals, we don’t share our confidential information with everybody so, it’s only natural to expect companies to also ensure our confidential data is protected.
Another point is that only authorized employees that need access to specific data for their day to day job should have access to it. This also makes sense as HR needs access to employees’ records but it makes very little sense for the marketing department to also have the same access.
One Europe with a common law
There might be different customs, laws and governments within the different countries in Europe but most of the companies are doing business internationally. Moreover, with the free movement of citizens, the customer-base also spans across countries.
Rather than having to comply with several regulating bodies, it makes it easier to only have to deal with a single one. In an unfortunate situation of a data breach or simply for day to day operations, the EU Data Protection Regulation will help simplify things.
A bit of bad news: Fines and lawsuits
Obviously, in the eventuality of a data breach, companies are looking at fines and potential lawsuits. As far as fines are concerned, companies are looking at up to €100 million or 5% of annual turnover. If we consider the fact that in an event of a possible incident businesses are considered guilty until proven otherwise, things theoretically don’t look good for them.
The good news is that if a data breach occurs and your company can prove the data is protected (eg. encrypted) and 3rd parties can’t access it, you don’t even need to notify the affected customers.
The good news
The IT security sector has a lot to offer. There are thousands of vendors on the market that provide various solutions. From antivirus, firewall and application control to data loss prevention (DLP), encryption and mobile device management (MDM), there are plenty of solutions to choose from according to your business’ needs. Another advantage is that companies are no longer restricted to a specific operating system as solutions are available for Windows, Mac, Linux, iOS and Android.
There is no universal solution that will solve all the problems but then again, having to pick from a complete security solution or best-of-breed options, finding the best measures of security that are tailored to your environment is part of the fun. With the EU Data Protection Directive in place, IT admins now have another bargaining chip when convincing management to approve funds for IT security.