The General Data Protection Regulation (GDPR) is expected to be deployed in 2017, tying together the principles of data protection, within every nation in the EU. As we well know, GDPR has been devised to address the changing ways in which companies function in the modern world. This will be done by tackling concerns surrounding the protection of personal data on social networking sites, as well as data stored and transferred in the public Cloud. But how will these changes affect those of us on the ground? The introduction of penalties of up to 4% of global annual turnover and the obligation to report data leaks are sure to have a significant impact on the way companies approach data protection.
[easy-tweet tweet=”Concerns about protection of #data stored and transferred in the public #cloud are prominent”]
In the absence of a crystal ball, here is a view of what companies can do to ensure that they are protecting the sensitive information they hold about their employees and customers and avoid being hit by new data protection penalties.
Whether your business is based in Europe, or you are a non-EU business with data traded or stored inside Europe, it is probable that the upcoming European data protection regulations will change how you deal with your staff and client data.
Considering international collaboration
The recent growth in globalisation has given birth to a borderless corporate philosophy where data can immediately be shared between different countries and devices. Our means of storing and distributing data have dramatically evolved in the last ten years and it is imperative that the regulations around protecting data are evaluated and altered to mirror this; a business’ firewall cannot defend sensitive data when it is shared with third parties.
Our means of storing and distributing data have dramatically evolved in the last ten years
One of the major changes in the GDPR is expanding the territorial scope of the laws to include not only companies that are established in the EU. The new regulation will also affect those that are based elsewhere but processing personal data of people residing in the EU. Now, many organisations that were outside the scope of application will be directly subject to the requirements.
This development brings the important question of data residency squarely into the limelight. Now more than ever, EU-based businesses and individuals are questioning if their data is being handled and stored in EU-based data centres. Under GDPR, businesses will have to ensure that the information stored in their data centres never leaves the country-specific legal area without authorisation.
[easy-tweet tweet=”The ECJ believes that #data from Europe is not always safe when stored overseas” hashtags=”infosec, datasecurity”]
The recently repealed Safe Harbour Agreement between Europe and the United States shows that even the European Court of Justice (ECJ) believes that data from Europe is not always safe when stored overseas. Although customers will likely be able to approve the transmission and processing of their data on both sides of the Atlantic, businesses currently run the risk of violating European privacy laws and allowing business-critical information to fall into the wrong hands if they store data outside the EU.
Dealing with sensitive information – what is the right approach?
Whether your business has 50 or 5,000 employees, it is likely that you deal with a substantial amount of client and customer sensitive data, be that contact details, social media activity or professional and personal records. Especially when considering the increase in Cloud services, this sensitive information is now likely to be stored outside of the business itself, as well as internally. With GDPR around the corner, it is imperative that businesses evaluate the way they gather, categorise, store, distribute and defend the data they acquire.
With GDPR around the corner, it is imperative that businesses evaluate the way they gather, categorise, store, distribute and defend the data they acquire
Under the new regime, the definition of ‘personal data’ is expected to broaden, bringing many more types of information into the regulated perimeter. Businesses will also have to make sure that this far wider scope of relevant data is secured by adopting modern encryption methods and other technical safeguards such as rights management, two factor authentication, operator shielding and full audit trails. While this may sound like a significant burden to businesses, many data-handling solution providers are already offering data protection by “default”, meaning that products and services are automatically provisioned with the highest level of privacy.
Information is a valuable asset to businesses and one that needs to be effectively guarded to protect customer information and trade secrets. However, it also needs to be communicated and shared with third parties. There is a fine balance between operating effectively with the right access to data, while also protecting the privacy of the data subjects and complying with regulations. Simple and secure technical measures need to be put in place to ensure this balance is possible.
[easy-tweet tweet=”Information is a valuable asset to businesses and one that needs to be effectively guarded” hashtags=”infosec”]
Straight forward, but secure collaboration
In this day and age, a large proportion of businesses are required to work with external parties in order to stay current; but they similarly must meet data protection regulations if they are going to protect client information, and their own reputation. By introducing an easy-to-implement and use storage and collaboration technology, businesses will find it much more straight forward to achieve both requirements of modern business.
When sharing data with third parties, wherever they are located, businesses should consider adopting a collaboration platform that is simple for employees to use and supports them in their everyday work, so it is perceived as a helpful tool rather than a hindrance.
To make it easier for your business to protect customers’ data and comply with GDPR, you should opt for a collaboration platform that:
- Protects data transmission and storage by cryptographic means
- Has strong authentication measures to ensure only authorised users can access data
- Allows you to tailor users’ access rights and modify what they can do with a document
- Provides a tamperproof audit trail, enabling traceable and transparent insight into how documents are being used and edited
- Is accessible securely when employees are travelling abroad or are out of the office
If you haven’t already done so, now is the best time to start preparing your business for the full implementation of GDPR in 2017. By reviewing the way your company collects, stores and shares data with these new data protection regulations in mind, you will be able to ensure your ongoing compliance and avoid devastating fines and reputation damage in the future.