Quentyn Taylor, Director of Information Security, Canon EMEA, believes GDPR is set to be one of the most impactful and significant pieces of legislation on data privacy.
The General Data Protection Regulation (GDPR) was initially published by the European Commission in January 2012. After several years of negotiation, it will come into force on the May 25th 2018, replacing the existing data protection framework under the EU Data Protection Directive.
While the narrative for most will focus on the significant fines associated with this new regulation, it is unsure whether this will be the biggest issue.
First, let’s get into some details on what the GDPR will do. The GDPR aims to harmonise data privacy laws across Europe to protect consumers from data breaches and to reshape the way businesses approach data privacy.
Data protection focuses on law and absolutes, whereas data privacy is more consumer-led. Data privacy can change in a weekend, whereas data protection is very rigid. For too long the focus has been on protection, aiding businesses, but at the cost of privacy and the consumer. The GDPR rebalances that equation and loads the dice in the favour of the consumer.
The GDPR will ensure that businesses must make it clear from the outset how they will use a person’s data and ensure that they seek consent in clear and plain language online.
Companies found to be in breach of the GDPR can be fined up to €20m or 4% of global turnover (whichever is larger) for offences related to data processing, consent, transfer of data to a third party and more.
These fines, however, are just the tip of the iceberg. Most of the costs will be under the waterline and aren’t as obvious. Internal costs, legal costs, process changes and PR fees are all potential expenses if an organisation is not prepared. There is a probability of a 1:10 ratio of fine to actual cost.
Cross-border data transfer is likely to become more of an issue also. This will become particularly important if a company has support staff outside of the EU, for example in the US or India.
GDPR will ensure that businesses must make it clear from the outset how they will use a person’s data and ensure that they seek consent in clear and plain language online
IT departments will need to have an increased focused on data transfers and data location (as they should be already). If they want to use a certain company outside the EU, there may be a lot of other considerations and paper work that could make this transfer non-profitable.
One of the biggest changes will be that the GDPR has extraterritorial scope. Even if you are outside the EU and have no assets from the EU, if you are processing data from the EU you are now in the sights of the GDPR.
The GDPR requires businesses to revisit how ‘safe’ they think they are from security breaches, but with a focus on structured data and external hacking attacks. Some closer to home aspects of pragmatic information security protection are easily overlooked and may not be in place.
A key focus area for Canon is to advise organisations on how to secure office networks and protect sensitive data held in documents. For many companies, information security starts and ends with structured data – the type that resides on systems of record like ERP and financial systems.
In the office, there are many more back-door areas to consider, such as the potential for someone to intercept unencrypted print data, access data from a printer hard drive potentially containing years of passport ID scans or payslip print data, target the weaknesses found in less familiar printer languages, or pick up discarded sensitive documents found in print output trays or waste paper bins.
The most important thing is that your IT department needs to act now. They need a tier of people from multi-disciplines (IT, legal, compliance) to prioritise data mapping and the shift to privacy by design.