EU General Data Protection Regulation

Transcription

1 WHITEPAPER EU General Data Protection Regulation UK Enterprise Inquiry Author SecureData April 2012

2 CONTENTS Part 1. Executive summary...2 Part 2. Analysis of key findings... 3 Part 3. Appendix... 7 Part 1. Executive Summary UK enterprise is facing a major new compliance challenge following proposed new data protection laws from the European Union. Although only at draft stage, the new General Data Protection Regulation expects to be agreed by the end of 2012, covering how companies operating in Europe capture, store, and use personal information. The regulation aims to replace the 1995 EU Data Protection Directive with a single directly applicable data protection law across all 27 EU member states. Initial feedback has been mixed and many media commentators have highlighted concerns from businesses large and small. However, no wideranging research of concerns has yet been conducted. SecureData therefore commissioned independent research company Vanson Bourne to survey senior IT managers in large UK enterprises which form part of this inquiry. KEY RESEARCH FINDINGS Carl Shallow, Head of Compliance, SecureData There is a high proportion of senior IT managers who have some level of responsibility regarding compliance across the enterprise. A clear majority of large UK enterprises believe the proposed legislation will cost them more. Businesses fear a number of unintended consequences from the draft legislation, such as advertising weaknesses and false alarms. Around a quarter of enterprises may consider outsourcing compliance and security roles. Consumers may have a right to be forgotten but hard-working growth businesses have a right to be remembered. The new internet economy is vital to Europe s economic recovery and the need for increased data protection must be finely balanced with freedoms for technological and business model innovation. Meanwhile, there is a clear need for organisations to begin planning how they will ensure they do not fall foul of this new legislation. 2

3 Part 2. Analysis of key findings 1. Do you have any responsibility for IT complaince in your organisarion? KEY FINDINGS Dealing with compliance issues is not the preserve of a few individuals. Senior IT managers across organisations have to understand and deal with compliance requirements. This data confirms the reliability of the surveyed audience for informed opinions on the EU s draft proposals for the General Data Protection Regulation. KEY COMPLIANCE REQUIREMENTS The draft legislation sets up a number of new requirements for businesses. Among these, the key areas for concern and attention are: Public bodies and enterprises with 250+ employees will be required to appoint a data protection officer. A right to be forgotten will allow the public to ask organisations to delete their personal data if there are no legitimate grounds for retaining it. Companies receiving such a request will be required to pass it on to any other company that has a copy of the data. Data breaches will have to be reported to authorities and affected customers within 24 hours. Independent national data protection authorities will be given new powers to fine companies that violate EU data protection rules up to 1 million or up to 2% of the global annual turnover. A single set of rules on data protection across the EU. Admin requirements, such as notification requirements for companies, will be removed. Increased responsibility and accountability for those processing personal data. 3

4 Organisations and the general public will only have to deal with a single national data protection authority in the EU country where they are based. Consent for data to be processed, must be given explicitly, rather than assumed. The public will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens. A new directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. 2. Do you believe the draft data protection rules will affect the associated costs of complaince for your organisation (if they become law)? KEY STATISTICS 59% of respondents said the draft data protection rules wouls cost their business more. This Increased to 72% for larger enterprises with more than 3000 employees and fell to 46% for those with Retail, distribution and transport sectors were most concerned with 72% saying it owuld cost them more, while financial services (56%), manufacturing (44%) and other commercial sectors (64%) completed the breakdown. 4

5 RECOMMENDATIONS Security and compliance individuals need to begin assessing the risk presented to their organisations. The list of draft compliance requirements is lengthy and this may include conversations with customers, suppliers andoutsourced IT partners. Across the enterprise, questions must be asked on exactly what is sensitive data and where does it reside. There is frequently an abundance of lost unstructured data siloed across the largest organisations IT estates. While databases and their data owners are more easily monitored, large organisations struggle managing Active Directory to authenticate and authorise all users and computers. The new act is an ideal opportunity to review data governance procedures and management solutions. 3. According to the draft rules, companies will be required to notify KEY COMPLIANCE REQUIREMENTS data protection authorities as well as an affected individual within 24 hours of a data breach to avoid fines. Which of these possible effects do you think this will have? KEY STATISTICS Limited agreement (64% and 58%) that the proposed regulations would improve business security processes and consumer data protection. 40% think the proposed 24-hour deadline for notifying individuals of a data breach would advertise security weaknesses before an appropriate security review could be completed. 36% fear false alarms from pressures to notify of data breaches quickly to avoid fines. 20% of enterprises with employees thought the 24-hour notification deadline would reduce the possibility of catching suspected data thieves, compared to 8% of larger enterprise with more than 3000 employees. 5

6 RECOMMENDATIONS Kick off security forums in your organisation to grow awareness of IT security, the proposed legislation and begin considering the risks posed. Develop an incident response plan that will be put into action in the case of data loss / breach. This will include notifying the relevant authorities and credit cards. Digital forensics, although time and resource intensive, can help catch and convict perpetrators and help build stronger systems in the future. 4. Which of these roles could you imagine beong outsourced from your organisation? KEY STATISTICS 26% of senior IT managers can imagine their enterprise outsourcing the data protection officer job role (as required under the proposed legislation). Firewall and network managers are the most likely security role to be outsourced at 35%. Only 8% of respondents in financial services would consider an outsourced CISO compared to 28% in the manufacturing sector RECOMMENDATIONS Regularly evaluate what makes sense to keep in-house and what services are better outsourced to an expert third party. A decade ago outsourcing your firewall or network manager was almost unthought-of, yet now this is regularly the case. Consider outsourcing the Chief Information Security Officer (CISO) function to save costs where an assigned senior security professional would be onsite for two days a month and use a series of online monitoring tools to maintain an information security management system (ISMS) 6

7 Part 3. Appendix SecureData commissioned a Vanson Bourne survey of 100 senior IT managers in large UK enterprises (more than 1,000 employees) across the financial services, manufacturing, retail, distribution/transport and other commercial sectors. The following questions were asked: Do you have any responsibility for IT compliance in your organisation? Do you believe the draft data protection rules will affect the associated costs of compliance for your organisation (if they become law)? According to the draft rules, companies will be required to notify data protection authorities as well as an affected individual within 24 hours of a data breach to avoid fines. Which of these possible affects do you think this will have? Which o f these roles could you imagine being ou tsourced from your organisation? SecureData compliance and risk practice Many organisations have reasonable security arrangements in place and in most cases a security posture that addresses their own specific risk requirements. What they struggle with is being able to measure, quantify and visualise the levels of security they have in place. We have assisted thousands of organisations across all types of industries in achieving the relevant security compliance for their industry including Payment Card Industry (PCI), ISO 27001, Data Protection Act etc. Complying with a security framework ensures that companies can measure, quantify and address all their security requirements. Advantages of compliance The implementation of a security framework for example, ISO 27001, within an organisation provides many benefits to an organisation, some of which can be summarised as follows: To meet legal requirements Compliance with ISO satisfies the legal obligations of Principle 7 of the Data Protection Act The responsibility for the protection of information confidentiality, integrity and availability rest with the senior management of an organisation and poor management practice could break the law and lead to both civil and criminal liability and its consequences (including unlimited fines). To achieve commercial advantage By gaining certification to ISO 27001, you will demonstrate to clients that your internal processes for information processing are in line with accepted best practice and thereby gain that competitive advantage. To avoid commercial disadvantage As ISO certification has becomes more widespread, business partners or clients may now demand that you have achieved the requirements of ISO certification before they will allow you to provide business services to them. 7

8 To facilitate business partnerships If you exchange or share information with business partners you will need to be satisfied that the information is appropriately protected from threats to its confidentiality, integrity and availability whilst it is outside your direct control. In other words you will need to ensure that the controls adopted by your business partners are at least as good as those you operate within your company. Our compliance and risk service has a history of developing solutions that deliver efficient, applicable and measurable reductions in organisational risk and thus improvement in the overall security posture. We engage with our customers at all stages of the security lifecycle, from initial risk reviews through to full security delivery. Consulting service portfolio The consulting service portfolio delivers framework and product security in line with organisational, industry and legislative specific requirements. 8