Year-long countdown begins for GDPR implementation

25 May 2017 | James Pearce

The General Data Protection Rule (GDPR) is set to come into play in exactly a year, but a number of experts are warning business leaders and telcos are completely unprepared for the “game-changing” EU legislation.

GDPR will completely overhaul the way countries who operate within the EU hold on to data, in one of the biggest overhauls in data protection history.

The way firms collect, store, process and protect the personal information of customers, clients and employees is being changed, introducing new definitions of consent and rights for consumers to erase or rectify data.

The regulation was adopted on 27 April 2017 and impacts not only businesses based in Europe, but also those who are based elsewhere but store customer data of anyone within the EU.

With just 365 days until the rule comes into force, the penalties for failing to adopt a GDPR-compliant strategy is steep, with possible sanctions ranging from a warning to a fine that can be as much as a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover.

Despite the potentially steep consequences of a data breach, research shows that an alarmingly high number of businesses are still failing to prepare adequately for the incoming rule changes. Security specialists Webroot carried out a survey among small businesses in the UK, and found that despite 81% of respondents being aware of the regulation, 20% of them had not even began to prepare for it.

"With 12 months to go it’s clear that SMBs in particular need to urgently focus their attention on both this issue and their wider cybersecurity posture," said Webroot’s Adam Nash.

"The fines and sanctions that can be levied for failure to comply means this needs to be a focus for SMBs. They must also consider the business impact if they are working with larger organisations that expect their suppliers to demonstrate accountability and compliance under GDPR."

Webroot also found that three quarters (73%) do not believe customer data will be any safer due to GDPR, and 51% thought they weren’t at risk of cyberattack.

According to Cisco’s annual cybersecurity report, today’s average large enterprise can face as many as 70,000 security events per week. The recent WannaCry attack, that hit a number of operators including Telefonica with ransomware, shows that even the most security conscious industries can be vulnerable. GDPR means the costs of such a breach could be even more devastating.

The rule changes are especially important for network operators, who often store and manage massive amounts of customer data, either on behalf of clients or businesses, or for their own retail arms.

Though operators are somewhat at an advantage, as they already have an obligation to disclose data breaches under the EU’s Regulation on the notification of personal data breaches within 24 hours of detection, the GDPR will still see a notable change in the way data is handled.

With all businesses coming under increasing pressure to become GDPR compliant, it is the duty of network providers to make sure their networks are secure, according to Exponential-e’s Jeff Finch.

He said: "The changes that will come into force as a result of GDPR are nothing short of monumental. If you are an operating business, then these changes affect you, as you will always be in some form of control of customer’s personal data – be that email and physical addresses or more personal details like medical and financial information. 

"In today’s business world, everything is digital. This means that, for the most part, every last piece of information will at some point travel over a network connection and be stored in a data centre. As such, it’s highly important that network and cloud providers are fully aware of the duty of care they must provide to their customers.

"GDPR changes the game – providers that store or transport any customer data must ensure they have a clear view of that data and what they are expected to do with it. Every situation that could fall foul of GDPR must be envisaged and efficiently planned for. It is also critical that data controllers are clear with their customers around what they can and cannot do in regards to abiding by this new regulation.

"Network providers need to ensure that they offer state-of the-art security services to customer data such as the ability to encrypt this information as it travels via networks and sits in a secure datacentre."

It isn’t all doom and gloom around GDPR, with a clear opportunity there for the vendor market. Analysts IDC have predicted the value of this opportunity could be as high as $3.5 billion, with businesses set to seek outside experts for help and advice as they transition to becoming GDPR-compliant.

IDC predicts that the opportunity for security software from GDPR-related concerns will rise from $811 million in 2016, to $1.8 billion by 2019. GDPR-related storage software will grow from $258 million in 2016 to $1.7 billion in 2019.

With a year to go, now is the time to make sure everything is in place, according to the chairman of the UK Data Protection Forum Ashley Winton.

Winton said: "Many companies are undertaking a detailed GDPR gap analysis or sophisticated data mapping, and whilst they can be useful tasks in themselves, it is worth re-examining them to see if they can be simplified in order to bring forward key remediation tasks.

"For many companies, GDPR compliance will be greatly assisted by alterations to existing databases and technologies, and so in the GDPR compliance triage, an immediate focus on technology could be a lifesaver. In the UK there will be no grace period for compliance with the GDPR so with 365 days to go and counting, now is the time for businesses to re-assess their approach to becoming compliant."

Topics: GDPR, EU, regulations, 2018, EC