Today, data breaches are a regular occurrence. Last year many companies lost customer data, and there was an epidemic of medical data breaches in the US. Businesses can no longer afford to gamble on not getting hacked; they must assume they will be targeted at some point. Therefore it is essential that companies have robust protection in place to mitigate against the risk of data loss.
The European Union (EU) has been working on new regulations which will harmonise the current data protection laws in place across the EU member states. The last time Europe looked at data protection was twenty years ago, when it passed the 1995 EU Data Protection Directive. The Directive required citizen countries to transpose guidance from Europe into their own local interpretation of the law, which meant different standards and levels of protection were applied in different regions.
Crucially, the forthcoming regulation will make implementation of the new EU law mandatory, and will also apply to non-EU based organisations which house data on European citizens. This includes everything from names and email addresses, to bank details and medical records. In a further step, Europe wants to fine companies by up to five per cent of their annual worldwide turnover if they leave customer data at risk from cyber criminals.
So, why is Europe ramping up data protection for European citizens’ data now? For a start, the cyber security landscape is unrecognisable compared to the nineties. Mobile devices are now commonplace, and mobile working is a matter of course which means that company data regularly moves outside the traditional corporate security perimeter. In an age where the German government is considering a return to typewriters to protect documents from hackers, employees are accessing sensitive data from personal smartphones and tablets, not to mention third party cloud providers, often without checking application permissions and browser security.
In light of this, questions remain as to how prepared UK businesses are for the new regulations, and what steps they have taken to inform employees across the organisation of the changes in the law. A recent survey by Sophos of over 1,500 office workers in the UK, France and Germany revealed that while 84 per cent of end-users agreed Europe needs stronger data protection laws, 77 per cent were not confident their organisations complied with the current regulations. Only 23 per cent of those surveyed were completely confident their organisations complied with current data protection regulations.
In this context, what steps should organisations take to ensure compliance with the forthcoming Data Protection Regulation? As a starting point, companies should have a clear, defined and unified IT cyber security policy in place as part of their wider IT policy. To address the current threat landscape, this should cover all devices on the corporate network. Today’s breed of hacker is willing to go to any lengths to exploit security loopholes in order to access sensitive data. This is further compounded by the onslaught of malware, increasing spam and highly persuasive phishing techniques, all of which are problematic for end-users across the business who unwittingly put data at risk.
A solid data protection strategy as part of the security policy should undoubtedly include encryption. Rendering data as unintelligible, encryption is widely accepted as an adequate means of meeting new requirements. Furthermore, if encrypted data becomes lost or stolen, it is essentially worthless. No one can access the actual data. And that’s the crux of data protection laws and regulations.