25 May 2017
| James Pearce
The General Data Protection Rule (GDPR) is set to come into play in exactly a year, but a number of experts are warning business leaders and telcos are completely unprepared for the “game-changing” EU legislation.
GDPR will completely overhaul the way countries who operate
within the EU hold on to data, in one of the biggest overhauls
in data protection history.
The way firms collect, store, process and protect the
personal information of customers, clients and employees is
being changed, introducing new definitions of consent and
rights for consumers to erase or rectify data.
The regulation was adopted on 27 April 2017 and impacts not
only businesses based in Europe, but also those who are based
elsewhere but store customer data of anyone within the EU.
With just 365 days until the rule comes into force, the
penalties for failing to adopt a GDPR-compliant strategy is
steep, with possible sanctions ranging from a warning to a fine
that can be as much as a fine up to 20,000,000 EUR or up to 4%
of the annual worldwide turnover.
Despite the potentially steep consequences of a data breach,
research shows that an alarmingly high number of businesses are
still failing to prepare adequately for the incoming rule
changes. Security specialists Webroot carried out a survey
among small businesses in the UK, and found that despite 81% of
respondents being aware of the regulation, 20% of them had not
even began to prepare for it.
"With 12 months to go it’s clear that SMBs in
particular need to urgently focus their attention on both this
issue and their wider cybersecurity posture," said
Webroot’s Adam Nash.
"The fines and sanctions that can be levied for failure to
comply means this needs to be a focus for SMBs. They must also
consider the business impact if they are working with larger
organisations that expect their suppliers to demonstrate
accountability and compliance under GDPR."
Webroot also found that three quarters (73%) do not believe
customer data will be any safer due to GDPR, and 51% thought
they weren’t at risk of cyberattack.
According to Cisco’s annual cybersecurity
report, today’s average large enterprise can face
as many as 70,000 security events per week. The recent WannaCry
attack, that hit a number of operators including Telefonica
with ransomware, shows that even the most security conscious
industries can be vulnerable. GDPR means the costs of such a
breach could be even more devastating.
The rule changes are especially important for network
operators, who often store and manage massive amounts of
customer data, either on behalf of clients or businesses, or
for their own retail arms.
Though operators are somewhat at an advantage, as they
already have an obligation to disclose data breaches under the
EU’s Regulation on the notification of personal
data breaches within 24 hours of detection, the GDPR will still
see a notable change in the way data is handled.
With all businesses coming under increasing pressure to
become GDPR compliant, it is the duty of network providers to
make sure their networks are secure, according to
Exponential-e’s Jeff Finch.
He said: "The changes that will come into force as a result
of GDPR are nothing short of monumental. If you are an
operating business, then these changes affect you, as you will
always be in some form of control of customer’s
personal data – be that email and physical addresses
or more personal details like medical and financial
"In today’s business world, everything is
digital. This means that, for the most part, every last piece
of information will at some point travel over a network
connection and be stored in a data centre. As such,
it’s highly important that network and cloud
providers are fully aware of the duty of care they must provide
to their customers.
"GDPR changes the game – providers that store or
transport any customer data must ensure they have a clear view
of that data and what they are expected to do with it. Every
situation that could fall foul of GDPR must be envisaged and
efficiently planned for. It is also critical that data
controllers are clear with their customers around what they can
and cannot do in regards to abiding by this new regulation.
"Network providers need to ensure that they offer state-of
the-art security services to customer data such as the ability
to encrypt this information as it travels via networks and sits
in a secure datacentre."
It isn’t all doom and gloom around GDPR, with a
clear opportunity there for the vendor market. Analysts IDC
have predicted the value of this opportunity could be as high
as $3.5 billion, with businesses set to seek outside experts
for help and advice as they transition to becoming
IDC predicts that the opportunity for security software from
GDPR-related concerns will rise from $811 million in 2016, to
$1.8 billion by 2019. GDPR-related storage software will grow
from $258 million in 2016 to $1.7 billion in 2019.
With a year to go, now is the time to make sure everything
is in place, according to the chairman of the UK Data
Protection Forum Ashley Winton.
Winton said: "Many companies are undertaking a detailed GDPR
gap analysis or sophisticated data mapping, and whilst they can
be useful tasks in themselves, it is worth re-examining them to
see if they can be simplified in order to bring forward key
"For many companies, GDPR compliance will be greatly
assisted by alterations to existing databases and technologies,
and so in the GDPR compliance triage, an immediate focus on
technology could be a lifesaver. In the UK there will be no
grace period for compliance with the GDPR so with 365 days to
go and counting, now is the time for businesses to re-assess
their approach to becoming compliant."