Earlier this year, European Commission VP Andrus Ansip and commissioner Vera Jourová made a statement regarding the EU’s long-awaited data protection reform, confirming a commitment to pass the new laws by the end of this year. Unfortunately for the organisations that will need to adhere to these rules, there is still little available in terms of definite details. Up until now, some of the key details to be aware of are that companies will likely be expected to respond more quickly, being ready to notify their customers within 24 hours in the event of a breach, as well as the possibility of fines being raised to 5 percent of global turnover for noncompliance.
Outside of this, much of the recent chatter around the forthcoming, revamped EU General Data Protection Regulation (GDPR), has focused primarily on the issue of privacy, rather than data protection. Arguably ignited by the Snowden disclosures and the fact that questions about what information organisations are holding and why remain unanswered, privacy remains the most pressing issue when it comes to anticipating the details of the new legislation. Not only has it impacted the debate, but it has shaped the security industry more broadly. This is especially the case for the cloud business.
While the true cost of Snowden’s US government spying revelations on the cloud market has been much smaller than initially feared (see this Forrester blog), there can be no doubt that cloud service providers (CSPs) do increasingly find themselves coming under pressure from security conscious organisations, to prove not just the robustness of their security credentials, but to also provide more visibility into the circumstances under which data can be accessed, by whom and for what purpose. This is especially the case in Germany where an existing strong legal and policy bias toward staunchly protecting citizen’s privacy rights can present non-European businesses handling EU-specific data with a very specific challenge.
For companies concerned about privacy, they should be actively thinking now about how their data is organised and, in turn, how it is being protected. One thing we can presume is that the revamped data protection regulation will include a greater prescription for businesses to obfuscate ‘sensitive’ data. Given the definition of ‘sensitive’ is open to interpretation and will constantly change as more information about our lives is electronically stored, there is going to be a need for much more dynamic and powerful tools and systems for protecting data.
Understanding the necessity of encryption and how it works across multiple networks and in tandem with other solutions is becoming increasingly important. At the end of the day, data breach incidents remain all too successful and all too news-worthy. Only by transparently encrypting data now will businesses help themselves to avoid an endless game of data security/compliance/privacy whack-a-mole.