THE EU GENERAL DATA PROTECTION REGULATION: TIME TO ACT A REPORT EXPLORING UK BUSINESS PREPAREDNESS FOR THE GDPR AND CURRENT CYBERSECURITY CONCERNS

Transcription

1 THE EU GENERAL DATA PROTECTION REGULATION: TIME TO ACT A REPORT EXPLORING UK BUSINESS PREPAREDNESS FOR THE GDPR AND CURRENT CYBERSECURITY CONCERNS

2 INTRODUCTION After four years of negotiations, Europe has finally taken a large step towards stronger, pan-european data privacy laws. In December 2015, European countries agreed the text of the new EU General Data Protection Regulation (GDPR) reforms, which every organisation will need to comply with by 25th May, The new data privacy laws aren t just about compliance - the rules and regulations relating to how organisations capture, store, process and share staff and customer data are all about to change. The GDPR represents the most momentous change in data protection legislation in the past 20 years; it s the first attempt to create strong, meaningful and enforceable data protection laws for Europe s 500 million plus citizens. The new legislation will be far reaching and is set to bulldoze through corporate organisational processes and policies, from HR departments to sales and marketing. much as 4% of annual turnover - for global internet companies in particular. What s more, the GDPR will also be applicable to merchants and retailers based outside of Europe who supply goods and services to European citizens if they process or hold EU citizen data. If you are processing data outside of the EU, you will still need to conform to the GDPR and will be caught by the sanctions if you fall foul. A large number of technology companies are facing a compliance requirement for European law, whereas they previously thought they were exempt. Conor Ward, Hogan Lovells International LLP With the UK economic landscape increasingly dominated by globalised or without borders virtual businesses, fastgrowth technology and data-led operations, the cost of failing to protect data or play by the new EU rules has massive implications on the growth and shape of our future workplace. The new laws will give regulators real means to clamp down on misconduct. Failure to comply simply won t be an option - firms breaching EU data protection rules could be fined as

3 The regulation will also clarify the laws around citizens right to be forgotten, give them a right to know when their data has been compromised, a right to transfer their data between providers, easier access to their own data and transparency around how it is processed. It will be two years before the GDPR bares its teeth but companies face major logistical challenges to get a grip on their data, especially unstructured data scattered across multiple platforms. There is a need to educate businesses on the impact of these regulations; UK businesses not only lack awareness of the far-reaching changes that are coming, they are also not ready. Having been the first to investigate European business preparedness for the EU GDPR in 2014, Trend Micro has now partnered with research consultancy Opinium to investigate whether there has been an improvement in UK business readiness for the new regulation, their current concerns with meeting the agreed laws and the impact of the Safe Harbour invalidation in October.

4 GDPR: AWARENESS GROWS BUT THE DEVIL S IN THE DETAIL Awareness of the EU s General Data Protection Regulation is growing, albeit slowly the research shows a fifth (20%) of UK IT decision makers are still unaware of the now formalised GDPR. When asked the same question in 2014, 50% of companies stated they were unaware of the impending regulation. Public sector organisations (43%), construction & engineering companies (50%) and SMEs (47%) are worst off. Of those surveyed, 71% think that the GDPR would apply to their organisation, however almost a third (29%) don t think that the regulation would apply to them, or are unsure. Two years after the regulation was first announced, the progress is visible but it s slow. That s alarming given that significant data protection legislation has been in place for a very long time - not only on the EU level but also in the UK - presumably making it easier for companies to take the steps needed to become compliant. Rik Ferguson, Vice President of Security Research at Trend Micro, believes the problem lies in the lack of motivation Current data protection legislation lacks teeth and companies that aren t compliant with current legislation don t face any meaningful consequences, making it harder for the GDPR to be taken seriously, according to Rik. As often happens with regulation, it s going to take a whipping boy to understand the gravity of the situation for most organisations. One high-profile case of a company handing money over for non-compliance under the GDPR will be the required wake-up call the rest of the industry needs to get their act together. Rik Ferguson, Trend Micro Under the GDPR, failure to comply with regulation can have a big impact on a company s bottom line - with organisations facing fines up to 4% of their annual turnover for non-compliance. Almost a fifth of companies (18%) aren t currently aware that they may face fines and 32% know there are fines but are unaware of what they are. When asked what impact potential fines would have on their organisation, 30% claim even a fine of 2% of their annual turnover would have a significant impact on their business, with almost half (47%) saying the same for a fine of 4%.

5 The level of fines and impact in terms of forced disclosure has made the EU GDPR a board level issue rather than an IT issue. In the past the IT teams would be driving the strategy around cyber protection, with the board fighting against it because they re spending money. Now the boards are protecting themselves, their jobs and their companies from potentially huge fines as well as brand damage associated with forced disclosure. James Walker, Trend Micro If you do not comply with the law you will be facing hefty fines. For example, penalties of up to 10m or 2% of your total worldwide annual turnover apply for not putting in place adequate security or for not reporting breaches when they occur. If you don t comply with some of the fundamental provisions in the regulation such as obtaining necessary consent, the fine can go up to 4% of your total worldwide annual turnover or 20M, whichever is greater. These fines can be catastrophic amounts when it comes to an SME. Conor Ward, Hogan Lovells International LLP SANCTIONS The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to impose fines for some infringements of up to 4% of annual worldwide turnover (e.g. breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent). Other specified infringements would attract a fine of up to 2% of annual worldwide turnover.

6 It s time to act. If organisations want to avoid fines they have less than two years to get to grips with the new regulation. The problem is that not all businesses are aware of this timeline. A quarter of companies (26%) don t know how much time they have to become compliant. Just under a third (31%) think their organisation has within 6 to 12 months to become compliant, with over one in ten (11%) thinking they have much longer - between 2 to 3 years. According to Bharat Mistry, Cybersecurity Consultant at Trend Micro, the Brexit decision may lead companies to put off efforts to become compliant even further: Certainly some smaller organisations we talk to are not rushing to become compliant as they don t want to invest too much time and resource if there s a chance the GDPR won t be affecting them after all. Those organisations must remember that the decision for the UK to leave the EU will have no impact on companies that handle data of or provide services to European citizens. Bharat Mistry, Trend Micro Two years seems like a long period of time, but in reality it will pass very quickly and businesses really need to understand what data they have today and what data they may be using in the future. The sensible companies are already taking steps - the longer you leave it, the more difficult it will become and the greater the risk that you won t be compliant when it comes into effect. Conor Ward, Hogan Lovells International LLP Knowing the timeline to adhere to the regulation isn t the only issue here, it s also crucial organisations understand the steps they need to take to ensure compliance. And when it comes to understanding the GDPR requirements, the devil, as always, is in the detail. Just over half of companies (55%) know about the GDPR requirements but almost one in ten (8%) IT decision makers don t understand what steps they need to take. Only 22% are aware they need to hire a Data Protection Officer to comply with the GDPR and there s some confusion over who is responsible for ensuring that compliance.

7 Public authorities will automatically have to have a Data Protection Officer. In the private sector it s a slightly different regime. If you re a controller or processor and process personal data on a large scale you will have to have a Data Protection Officer. The Data Protection Officer will need to have a strong understanding of the regulation, the organisation and the types of data it is processing, where the data is obtained from, under what basis it s obtained and how it s being accessed and used. It s also important that they remain independent from the senior management team. Conor Ward, Hogan Lovells International LLP DATA PROTECTION OFFICERS In certain circumstances data controllers and processors must designate a Data Protection Officer (the DPO) as part of their accountability programme. The compromise threshold is (i) processing is carried out by a public authority, (ii) the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale, or (iii) the core activities consist of processing on a large scale of special categories of data. Two in five (42%) think the responsibility lies with the organisation as a whole for ensuring compliance, with a quarter (24%) thinking responsibility lies specifically with the CEO. There s also some further confusion around who will be accountable if EU data handled by a US service provider is breached, with 39% of organisations thinking the data owner based in the EU is to be held responsible and 16% thinking the service provider based in the US is liable. Three in ten (30%) think both are liable. For many companies, the list of questions around the GDPR only grows the closer it gets to the deadline.

8 Under the new regulations, any company or individual that processes data will be held responsible for its protection, including third parties such as cloud providers. In simple terms, anyone who touches or has access to data, regardless of location, is responsible in the case of a data breach. For many companies, increased investment in IT security and a focus on employee training on data protection are key initiatives taken to comply with the GDPR: What steps does your organisation need to take to comply with the General Data Protection Regulation? Increase investment in IT security 44% Increase employee training on data protection 42% Increase business insurance policy in the event of a data breach 37% Hire a Data Protection Officer 22% Hire a 3rd party to ensure compliance 22% Other (please specify) 1% We don t understand what steps we need to take to ensure compliance 8% Nothing, we do not need to take any further steps to ensure compliance as we are confident we now have sufficient protection in place 7% Nothing, it doesn t apply to us 1%

9 When it comes to challenges that businesses face, a quarter (25%) of IT decision makers see restricted resources as the biggest barrier to improving processes and complying with data protection regulations. Other barriers include: A lack of formal process in place to notify of a data breach (21%) A lack of financial resources (20%) A lack of formal process in place to enable clear identification of data location and ownership (19%) In addition, the GDPR text states that the controller or processor should implement state of the art security relative to the risks and nature of the personal data to be protected. However, organisations are confused as to what this means. Just over one in ten (12%) don t know how to define state of the art. Twenty nine per cent of companies that claim they understand what is meant by state of the art security believe it to be defined as security technology that has had independent third party tests carried out, with a similar proportion (25%) believing it to mean security technology from an established and experienced market leader. Rik Ferguson explains: The GDPR is formulated differently than some of the more prescriptive regulation currently in place. Instead of stating that organisations require a certain type of encryption algorithm or end-to-end solution, the GDPR is oriented at how organisations do business and how they process information. By definition it is more open to interpretation. Although that makes the regulation more difficult for companies to follow, it does mean it s more strategic in approach, covering a process rather than a moment and encouraging businesses to think of security in a more holistic way. Rik Ferguson, Trend Micro There are other considerations at play here too. With Safe Harbour invalidated in October 2015, and its replacement Privacy Shield only introduced in February 2016, many businesses have been left in limbo when it comes to data transfer. Many companies are sitting tight until a decision is reached. The landmark ruling represents a significant challenge for more than 4,000 European and US companies whose business depends on enabling seamless trans-border data transfers. Twelve per cent of those surveyed adhere to the now obsolete Safe Harbour regulation.

10 DATA BREACHES: CONFIDENCE ON THE RISE, BUT TRANSPARENCY STILL LACKING The recent spate of high profile data breaches such as the cases of TalkTalk and Sony, and more recently the spectacular leak of documents from Mossack Fonseca, has had an impact on how organisations think about their own cybersecurity. Because of those high-profile examples, 83% of companies have had a full rethink about their data protection strategy and 43% of those have introduced new processes as a result. Key initiatives include hashed passwords, introduced by 36% of organisations, and better staff awareness programmes introduced by 43% of companies. Other common steps taken were: A new data protection policy (33%) Implementation of encryption technologies (32%) Remote wipe technology for lost devices (29%) That s good news. By putting the right processes and technology in place, organisations are starting to proactively respond to an increasingly digitally-savvy customer base. Half of IT decision makers (50%) say their customers are demanding greater transparency with regard to how much of their personal data is being kept and where it is stored, compared to 37% in confident they are protected against data breaches as best as they can be (74% now compared to 69% in 2014), with public sector companies, retailers and large organisations being the most confident (43%, 43% and 44% respectively). Interestingly only 11% of financial services organisations feel very confident that they re as secure as they can be against a data breach. There s still a lot of false confidence around the technologies that organisations have invested in and the processes they ve put in place for what could be termed older threats both internal and external. Organisations need to evaluate whether the technology they bought 5-10 years ago is the right technology to protect them against the latest threats. Many organisations believe they are covered which is a false sense of reality. A re-evaluation could be needed. James Walker, Trend Micro Business confidence in the industry s data protection capabilities is growing too. The majority of UK organisations are

11 To protect against data theft, 56% of financial services companies have introduced remote wipe technology for lost devices to prevent loss of corporate/customer data. Other steps such as encrypted passwords (44%), increased staff awareness (44%) and more transparent process to identify, locate and secure data (44%) have also been adopted. In addition, a high proportion of companies think they have adequate processes and technology in place to address any customer right to be forgotten requests for the following: YES % NO % The data their organisation collects on its customers 72% 16% The data which partners of their organisation collect on their customers 61% 17% The data Cloud Service Providers they work with collect on their customers 60% 17% The data their third party agencies collect on their customers 57% 17%

12 RIGHT TO BE FORGOTTEN Individuals can require the erasure of their personal data without undue delay by the data controller in certain situations. A good example is where they withdraw consent and no other legal ground for processing applies. This topic has attracted a huge amount of interest, particularly following the CJEU decision in the Google vs. Spain case. Yet that confidence doesn t translate into transparency. While more than half (57%) of organisations have a formal process in place to notify the data protection authority within 72 hours in the event of data breach as stipulated by the EU GDPR, one in five organisations purposely avoid notifying customers. This grows to one in three for large businesses (between 1000 and 3000 employees). In the financial services sector for example, 56% of organisations have introduced processes to notify the data protection authority within 72 hours in the event of a data breach and always do so, but as many as 22% still avoid notifying customers. In my experience of having worked on a number of incidents involving data breaches, very often organisations are unaware that they ve suffered a breach for several months. In some well documented cases, they are unaware for several years. Recent research shows that the average length of time taken to discover a breach has increased by 50% over the last months, so typically you re looking at days before people even realise there has been a breach. A recent example would be the TalkTalk breach where the initial view was that the breach was much more significant than it turned out to be, which caused massive reputational damage. So for organisations to report details of a breach within 72 hours is a tough ask and requires significant preparation. Conor Ward, Hogan Lovells International LLP

13 DATA BREACH NOTIFICATION Data controllers must notify most data breaches to the DPA. This must be done without undue delay and, where feasible, within 72 hours of awareness. A reasoned justification must be provided if this timeframe is not met. In some cases, the data controller must also notify the affected data subjects without undue delay. Does your business have a formal process in place to notify the data protection authority within 72 hours in the event of a data breach? 57% Yes, and we always do 19% Yes, but we avoid notifying customers 19% No 5% Don t know

14 For unsuspecting consumers affected by the breach this means increased exposure to identity theft, financial fraud, and being left vulnerable to social engineering attacks. Rik Ferguson explains: Which of the following do you see as the biggest threat to your data? Cyber criminals 35% Unfortunately, the decision on whether to notify customers or keep a breach under wraps still comes down to a simple risk management calculation for many organisations. If customers are notified the effect on business and reputation can be significant. Not notifying customers, on the other hand, gives companies hope to avoid sanctions, brand damage and any potential customer payouts. Accidental loss by employees Deliberate theft by employees Competitors 20% 11% 9% Rik Ferguson, Trend Micro Customers 8% Dishonesty is never a valid approach for a business. With the new GDPR regulation in place organisations will be obliged to notify customers or face legal implications, thus making the costs and benefits balance much less straightforward. Government Lost devices 7% 6% While forgetful or rogue employees were seen as the biggest data threats in 2014, organisations today see cyber criminals (35%) as their biggest concern. Industrial espionage 4%

15 CONCLUSION The time to comply with the new regulation is running out. It is clear organisations in the UK still have a long way to go to become compliant and avoid hefty fines. While awareness of the GDPR has grown, businesses need to do more to understand the timelines and requirements of the new law as crucial first steps in ensuring adequate protection for their customers data. Most businesses already have legal obligations based on current legislation; there s a lot companies can and should be conforming to when it comes to data protection. won t be in place until 2018 means many companies feel they can put compliance with data regulation on the back burner. It s a false economy. Rik Ferguson comments: At the end of the day compliance will be non-negotiable and it s in organisation s own interest to carefully plan compliance strategies in time for regulation to hit, rather than implement them in a knee-jerk reaction. While the GDPR has the potential to shake up data protection strategies and its proposed fine system will force companies into compliance, its impending arrival highlights a much larger problem. Despite growing confidence in their ability to protect themselves against data breaches, organisations in the UK are behind when it comes to data protection. A large proportion of companies don t even adhere to current data protection regulation: only 63% of companies adhere to the Data Protection Act, 27% to the EU Data Protection Directive and 22% to the EU Cyber Security Directive. More than one in ten (11%) are even unaware which regulations their businesses need to adhere to. Navigating complex regulation can be a challenge for many companies, but it is not an excuse to do nothing. Overconfidence in one s own security systems, lack of understanding of the various threats and the fact that the GDPR Rik Ferguson, Trend Micro There s one final consideration all businesses need to make. Compliance with regulation is often only a very first step towards better data security. Thus it s important businesses keep in mind that becoming compliant shouldn t be the ultimate destination on their quest of becoming secure. Compliance is an obligation; security should be an aspiration. Rik Ferguson, Trend Micro

16 3 KEY STEPS TO COMPLIANCE By James Walker, Cyber Security Consultant at Trend Micro 01 Understand your data 02 Create a breach notification plan Firstly, understand what data you hold, where it is stored, how it is held, who has access to it and whether the number of people who have access to this data should be limited. Understanding this and ensuring adequate controls are in place will reduce the opportunity for a breach and ultimately reduce the cost to the business and brand reputation. Develop a breach notification plan involving the entire organisation to ensure that a breach can be communicated smoothly, accurately and with as little damage to the organisation as possible. This should involve not just IT, but across the HR, PR, marketing and leadership teams. When the plan is in place, use fire drills to practice it as well. 03 Invest in the right technologies to deal with insider and external threats There s still a lot of false confidence around the technologies that organisations have invested in and processes they ve put in place for what could be termed older threats both internal and external. Organisations need to evaluate whether the technology they bought 5-10 years ago is the right technology to protect them against the latest threats. Many organisations believe they are covered, which is a false sense of reality and a re-evaluation could be needed. For more information, visit:

17 Internal users Despite the best intentions employees make mistakes and there will be some who deliberately try to steal corporate information. Businesses need to look at the following solutions: Data protection controls like encryption; if a device is lost with personal identifiable information on, the data is safe Ensure you also have remote wipe capabilities on these remote devices Data-loss prevention technology can control the types of data that can move around or out of the organisation External users additional controls to stop external parties exploiting your organisation include: Locking down what applications can run, so malicious software can t run on the endpoints. Not just anti-malware, but technologies like endpoint application control Ensure encryption of data on mobile devices that leave the organisation To deal with the risk of unpatched operating systems and applications virtual patching can be used to stop remote exploitation of the unpatched vulnerabilities Over the next two years we expect to see guidance from regulatory authorities over what determines state of the art technologies and standards will be produced to clarify what technology will be appropriate to keep data secure. However, this will have to be subject to ongoing monitoring because technology quickly gets overtaken and new security threats emerge. What can be seen to be secure today can be found to have a fundamental flaws tomorrow, so you have to keep on top of your game and ensure you re aware of the latest technological developments. Conor Ward, Hogan Lovells International LLP Breach-detection solutions that will identify where your network has been compromised, so you can take the adequate steps to stop those external groups from trying to steal your valuable and PII (Personal Identifiable Information) data

18 ABOUT THE RESEARCH The research was carried out in March 2016 by Opinium and surveyed 100 senior IT decision makers across the UK. For more information please contact For more information, visit:

19 ABOUT TREND MICRO Trend Micro Incorporated (TYO: 4704), a global leader in security software, strives to make the world safe for exchanging digital information. Our solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem. Leveraging these solutions, organizations can protect their end users, their evolving data center and cloud resources, and their information threatened by sophisticated targeted attacks. All of solutions are powered by cloud-based global threat intelligence, the Trend Micro Smart Protection Network, and are supported by over 1,200 threat experts around the globe. For more information, visit Or follow our news on Twitter TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an as is condition.

20