by Dr. Grigorios Fragkos, Senior Information Security Consultant, SysnetLabs
The globalisation of data and the enormous technological developments of the last decade raises a number of new challenges when it comes to data protection and privacy. Current privacy legislation has not yet caught up with the technology boom when it comes to personal data, and fails to consider aspects such as cloud storage and the wide spread use of social networks.
This is set to change with the launch of the proposed EU Data Protection Regulation. The new EU Data Protection Regulation will not only apply to European businesses, but it will also extend to all foreign companies that process data belonging to EU residents. Effectively, any business that has European customers will need to be compliant with the new regulation.
Where companies fail to meet the regulation, severe penalties may be issued; for example, penalties for loss of personal data will be up to 5% of the annual turnover or €100m depending on the size of the organisation. These penalties are designed to make sure that the Data Protection Regulation will be taken seriously in the boardroom.
The proposed regulation will enforce the process of regularly testing, assessing and evaluating the effectiveness of a company’s security policies. In addition, businesses will need to maintain records of all personal data that they process and, in the event of a breach, will be required to notify their local Data Protection Authority (DPA) within a legally defined timescale.
Businesses will also be required to adopt appropriate compliance procedures and policies for handling data that will need to be reviewed every two years along with privacy impact assessments.
The regulation expects businesses that handle the personal data of more than 5000 people within a twelve month period to appoint a named Data Protection Officer (DPO) to be responsible for implementing and managing compliance with the new Data Protection Regulation.
The appointed DPO does not have to be an employee of the company, which allows consultancy firms to act as appointed officers where no qualified internal resource is available to fulfil this requirement.
It is very important that organisations appoint a DPO with a good understanding of security and data privacy as new Data Privacy requirements will require all existing security and data protection measures, policies and procedures to be aligned to the new regulation. Staff training is also specified as a requirement of the proposed regulation.
The proposed EU Data Protection Regulation can be summarised as follows:
- Any businesses that processes personal data (including but not limited to payment details, customer records, healthcare information, etc.) on 5000 or more European citizens within a 12 months period will be required to adopt the full requirements of the regulation and must appoint a Data Protection Officer.
- A Data Protection policy is required that is capable of guiding employees of data protection best practice in a clear manner.
- Personal data being stored on laptops must be protected by encryption.
- Any data being stored in cloud networks must be encrypted and must also use encrypted channels while being transferred from one location to another. Transferring data to countries outside the European Economic Area (EEA) is restricted under the Regulation.
- Personal data sent over email must be encrypted to avoid accidental leakage. Personal data stored on removable media must be encrypted with access restricted to authorised users only.
The regulation states that consent for processing personal data should be explicit and must be obtained through affirmative action. It must also be equally easy to withdraw consent as it is to provide it, and the processing personal data of children under the age of 13 will require the explicit consent of parents or legal guardians.
Safeguarding businesses according to the proposed EU Data Protection Regulation will not be a trivial task that requires deep knowledge of current and emerging technologies, the evaluation of processes, policies and procedures, and implementation of technical controls to ensure the confidentiality of personal data.
This is where Sysnet can help. Our team of specialist Cybersecurity consultants understand the importance of data protection and our staff are highly skilled in a wide range of security disciplines including Data Protection, PCI DSS and ISO27001. We can provide consulting support to help you understand your Data Protection responsibilities.
We can also help you in designing, implementing and documenting appropriate security controls, procedures and policies to meet your obligations, all within a holistic cybersecurity framework that takes into account all other applicable standards or regulations that are appropriate for your business.
If you are a merchant that requires technical or PCI DSS help, please click here