GDPR at a glance

The General Data Protection Regulation (GDPR) comes into force in the UK on 25 May 2018, replacing the Data Protection Act 1998. Designed to give people more control over their data, GDPR represents a challenge to organisations, who must bring their data protection policies into line with the regulation by the 2018 deadline. GDPR will compel organisations to secure clearer consent for using people’s information, and will introduce tougher fines for failing to protect people’s data.

This hub collates all the latest GDPR news as it happens, but please follow these links for more information on what the GDPR is, and how to prepare for it. Separate facts from the hype about GDPR with our article puncturing marketing hyperbole.

19/02/2018: UK firms will spend £1.3m to comply with GDPR

UK businesses have spent an average of £1.3 million to make themselves GDPR-ready ahead of the law applying in May this year, according to a study.

The data protection legislation comes into force on 25 May, and is designed to give EU citizens more power over what organisations can do with their data, as well as introducing tougher fines and tighter controls on organisations to prevent data misuse.

With little over three months to go until GDPR becomes law, 72% of organisations worldwide believe they will be ready for it, according to a survey. At 74%, the UK is more prepared than any other European nation surveyed by independent market research firm Coleman Parkes, but the US tops the list with 84% claiming they will be prepared.

Almost half of the nearly 1,000 organisations surveyed by Coleman Parkes, in association with DDI network services vendor EfficientIP, said the biggest advantage of compliance will be gaining customer trust, while 31% said brand awareness would get a boost, followed by 18% hoping it will increase customer loyalty.

Herve Dhelin, SVP of strategy at EfficientIP, said: “As organisations enter the final straight of GDPR compliance with 100 days to go, our research shows they have never been so close to regulatory compliance. There is still some work to do, but it is encouraging to see nearly three-quarters of businesses are ready.”

The study comes after a separate survey found that a quarter of London businesses were unaware of GDPR, while other research found that just 18% of firms currently have a procedure to notify customers in the event of a data breach – something they must do under GDPR.

---

A layered approach to security can help ensure your organisation is doing its best to prevent breaches, and meeting new GDPR regulations. Learn more in this whitepaper from Malwarebytes.Download now

---

02/02/2018: Most enterprises have no data-breach notification planA quarter of businesses will not be able to meet the GDPR’s 72-hour data breach notification window, while only 18 percent have a plan in place to notify customers if their data is breached, a report by Tripwire has revealed.

The firm said in its survey of 406 cybersecurity professionals, less than 25 percent said they would be able to let authorities know their systems had been breached within 24 hours. Less than three quarters said they were “somewhat prepared” to notify customers data had been breached and would be forced to rectify the issue “on the fly” if they were to suffer a breach, which is a far from idea’ strategy.

“When it comes to cybersecurity, it’s short-sighted to figure things out ‘on the fly,’” said Tim Erlin, vice president of product management and strategy at Tripwire.

“The majority of data breaches and security incidents can be avoided by following basic security steps and implementing tried and tested foundational controls. With GDPR coming into effect this year, running a business without a fully baked plan is really asking for trouble.”

Although over a third thought they would have no problem finding where customer data resides, saying their knowledge of its location is “excellent,” it’s worrying that more security professionals don’t know where their customer data is stored.

“There are plenty of tried and tested frameworks available from governing bodies in the cyber security space that can help organizations who feel like they’re struggling to prepare for a security incident and more specifically, GDPR,” Erlin added.

“If you are an organization subject to GDPR – and as the rules apply to all companies worldwide that process personal data of European Union (EU) data subjects, that will be the majority of global businesses – you are not alone. Start researching for resources that cater to your needs now to help you prepare, so that you aren’t hit with a big fine come May 2018.”

23/01/2018: A quarter of London’s firms are unaware of GDPR

One quarter of London businesses are entirely ignorant of GDPR, new research has discovered just four months before the EU’s new data protection rules apply in the UK and other member states.

The legislation, which will impose higher fines on organisations found to be careless with people’s personal data and will hand citizens more control over their information, will apply from 25 May.

But the London Chamber of Commerce and Industry (LCCI)’s survey of 500 of the capital’s firms found that 24% are unaware of the incoming legislation, while one in three believe it isn’t relevant to them.

In fact, the legislation applies to any organisation using the personal data of EU citizens (including employees), or any firm processing that data on another company’s behalf.

LCCI’s chief executive, Colin Stanbridge, said: “Businesses that are already vigilant about their data protection responsibilities are unlikely to be unduly burdened by the new legislation.

“However we would urge businesses to take this opportunity to review their processes to see if they need to make any changes to be compliant.”

The survey found that just 16% of businesses aware of GDPR believe they are prepared for it.

But the penalties for non-compliance are potentially high – while data protection authorities like the UK’s Information Commissioner’s Office (ICO) are currently able to issue fines of up to £500,000 for data protection breaches, under GDPR this will rise to up to 4% of a firm’s annual turnover, or €20 million.

These fines must be proportional to breaches, but regulators are likely to come down harder on firms that have made little effort to comply with the rules.

You can read about how to prepare for GDPR here.

---

The average total cost of a data breach is an estimated $3.62 million. Read about data insurance and the other BI trends that will define 2018 in this free whitepaper.Download now

---

03/11/2017: UK data watchdog opens GDPR helpline for SMBsThe Information Commissioner’s Office (ICO) this week launched a helpline for SMBs preparing for the General Data Protection Regulation (GDPR).

The phone service, which opened on 1 November, is designed to address the specific data protection challenges facing the estimated 5.4 million SMBs operating in the UK.

With staff on hand to answer questions, the service acts as an extra resource to the ICO’s existing guidance, with an emphasis on helping people with obstacles particular to their businesses.

Information Commissioner Elizabeth Denham said: “Small organisations want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start.

They may have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do.

“Our new phone service and all the other resources already on our website plus even more advice and guidance yet to come will help steer small businesses through the new law.”

The ICO already offers firms of all sizes a 12-step guide to preparing for GDPR, which comes into effect in the UK from 25 May 2018, giving people more rights over their data, and imposing tougher fines on organisations that fail to protect it.

The data protection regulator is also revising its SMB toolkit in order to help firms fill any gaps they have discovered in their preparation for GDPR. Around 9,000 businesses a month have used the toolkit since January 2016, while the ICO’s 12-step guide has been viewed 73,000 times since May 2017.

06/08/2017: One in five large UK businesses are completely in the dark when it comes to the application of GDPR in their organisation, according to new data.

Citrix’s survey of 500 IT decision makers in such organisations found that 20% didn’t know if their company’s policies are compliant with GDPR.

One of the major problems facing these businesses is data sprawl. The study found that 21% of respondents use more than 40 systems to manage and store personal data – almost double the national average – with 47% saying they share this information with other organisations. Of that 47%, nearly half share the data with more than 50 companies.

While the majority said they retain complete control of this data, 15% said they don’t.

These figures present several problems. First, GDPR requires businesses to state a legal basis for collecting people’s data, which can range from getting a person’s explicit consent, to complying with a legal duty. Second, EU residents have the right to access all the data held about them and also to request their data is removed. Both of these may be a challenge when so many systems are used and if the data is no longer in the full control of the initial data controller.

Another issue raised by the survey is understanding data ownership – a key tenet of GDPR. Only 27% of those questioned thought personal data belonged to the customer, with 50% thinking it belongs to the organisation holding it.

Chris Mayers, chief security officer at Citrix, said: “Ensuring data privacy processes and systems are in place – from privacy by design to privacy by default – requires an organisation to know exactly where their data is and who can access it. Yet many are losing sight of data, spread across multiple systems and shared with multiple partners, while also struggling to scale up to store and control the huge influx of personal customer data they receive today.”

“Businesses must recognise that more centralised application and data storage environments will make it easier to meet technical compliance goals. This centralisation can be achieved in various ways, from introducing unified access controls across on-premise and cloud services with single sign-on to rolling out centrally-managed virtual workspaces. However it is done, controlling data sprawl and recognising enterprise accountability around data privacy will be key to GDPR compliance,” he added.

20/07/2017: The Cloud Industry Forum (CIF) has responded to what it sees as “uncertainty” in how authorities will determine data protection compliance by drawing up its own standards.

The EU General Data Protection Regulation (GDPR) comes into force across the soon-to-be 27 nation bloc 25 May 2018, by which point any organisations handling EU residents’ data must be compliant or face tough fines for breaches, of up to 4% of their annual turnover or €20 million, whichever is greater.

BCIF is the latest organisation to air doubts that data protection authorities have a clear idea of how companies can achieve compliance, however, with no clear standards yet drawn up.

“It’s incumbent on cloud service providers (CSPs) to be able to demonstrate they have the required capabilities,” said CIF CEO Alex Hilton.

“However, in many ways the GDPR is an abstract and non-prescriptive piece of legislation and the absence of a concrete standard makes it difficult for certain companies to be sure that what they have put in place is compliant.”

As a result, CIF has updated its Code of Practice for CSPs to ensure they’re compliant with the stricter data protection rules, which hand EU residents more control over their personal data and require organisations holding or processing the data to be transparent about what they’re using it for.

Under GDPR, companies using cloud services are still liable for any breaches of the new rules, even if the breach is the CSP’s fault, so understanding that a CSP is compliant will be an important factor in deciding whether to sign a deal with them.

Frank Bennett, CIF deputy chair, said: “Customers selecting a new provider will include GDPR in their due diligence. For service providers, GDPR is a mission critical event for the retention of existing customers and winning new customers and the CIF Code is there to provide assurance to customers.”

Collaboration platform Box’s VP of compliance, Crispin Maung, told IT Proearlier this year that data protection authorities “are struggling with figuring out what GDPR compliance really means and how they are going to measure [it]”.

Meanwhile, retailer John Lewis and bank HSBC both criticised the UK data protection authority’s guidance so far on GDPR compliance, calling it “woolly”.