Is your organization ready for the biggest shake-up of data protection laws in 20 years?
The European Union’s General Data Protection Regulation will take effect from this year with the aim of giving EU citizens greater control of what happens to their data and containing the growing problem of cyber risk. It will also put unprecedented pressure on companies both inside and outside the EU to clean up their act on consumer data, i.e. creation, storage, transmission and deletion of data.
Failing to comply with this won’t come cheaply: fines for non-compliance will be up to 4% of global turnover or 20m Euros, whichever is greater. That’s a much bigger stick to wield than the current maximum of £0.5m the UK Information Commissioner’s Office can impose for data breaches.
Companies also need to appoint a data protection officer and be able to show how they’re complying with the legislation. Above all, organizations need to understand that this is coming and burying one’s head in the sand is not a place to be. They need also to recognize that complying with the law is vital, but not the endgame in protecting data and heightening cyber resilience. That journey never ends!
The compliance challenge
Complying with the law is difficult for companies as it needs clarity on where data resides and where it flows to. In today’s growing cloud environment – and especially for large companies – data is dispersed globally. From a resilience perspective, it makes sense but it does make data difficult to track.
The definition of personal data has become broader and companies have to acknowledge individuals’ “right to be forgotten” and how that right is exercised. This needs positive interaction between organizations and citizens.
And what about the role of the data protection officer? That person will need expert knowledge of data protection, law and practices and could even have a legal function. But, along with that, this pivotal role should also involve making sure all people across an organization have the skills and behaviours to comply and keep the organization safe from data disasters. That requires multiple abilities, mixing technical, legal and people skills.
But there’s a hill to climb for anyone occupying this role, as AXELOS’ recent research revealed. We found that in a quarter of UK organizations, fewer than 50% of the staff had completed cyber security awareness learning, only 46% of organizations provide such training beyond induction or an annual e-learning refresher and less than a third believe what they offer helps change staff behaviour in relation to cyber security. That’s potentially a lot of employees who could open the door to a data breach and a colossal fine for their employer.
Have no doubt, people are going to need the right skills to understand how to operate resiliently with information to minimize the risks involved; the greatest of which will be the moment of weakness when an employee is tricked into doing something online – opening an email or clicking on a link – that starts an unstoppable chain of events.
The new EU legislation provides a two-year window for organizations to consider and implement a plan to comply with it. Therefore, they have to start thinking about it now – to understand what’s being proposed and what that means to them – and to budget for the resources needed.
Predictably, organizations will rush to find data privacy lawyers and technology as their first line of defence. What, in fact, is needed is sensible, pragmatic cyber security awareness and learning to create and embed sound, resilient cyber behaviours among their people.
See our RESILIA™ section for more information about cyber resilience.
Cyber resilience: Are your people your most effective defence? - AXELOS Cyber resilience research report
Cyber resilience infographic - visual representation of key points from the report
Are your people playing an effective role in your cyber resilience? - AXELOS guide for employers
More AXELOS Blog Posts by Mark Logsdon
Getting a career in cyber security: there’s no better time than now
SMEs, cyber risk and resilience – to invest or not to invest?
Cyber risk and young employees
Is this a Phishing email?
Hands up who doesn't understand cyber risk?
Building cyber education for all
The War on Cyber: Protecting Ourselves Against Weaponization
Cyber resilience: protecting the network or the data?
The perils of cyber-attack – and the new solution
Have you heard the one about the three judges...? A Cyber story to be aware of
Preventing cyber attacks - it's a people thing as much as IT