+
EDITOR’S QUESTION
/////////////////
LUKE BROWN, VP
EMEA AT WINMAGIC
“
I THINK WE’LL
ALMOST CERTAINLY
SEE AN INCREASE IN
FINES IMPOSED BY
THE INFORMATION
COMMISSIONERS
OFFICE AGAINST
ORGANISATIONS WHO FAIL
TO PROTECT SYSTEMS AND
INFORMATION.
I
don’t see that businesses have any choice but to comply. But
with just one month until the new legislation comes into force,
there are still many companies that aren’t ready for when it
takes effect on May 25. I’m sure the intent to comply is there, but
in many cases, companies simply lack the systems and processes
to ensure compliance with the new legislation, which affects all
companies holding and processing EU citizen data.
What does compliance actually mean? It’s pretty straightforward.
Compliance means that companies must deploy strong protection
and detection capabilities and be able to prove they did what they
could to protect themselves, their systems and their customers’/
employees’/patients’ data. According to the regulation, companies
must have ‘appropriate technical and organisational measures’ in
place to safeguard personal data, as well as minimise data collection,
processing and storage.
I think we’ll almost certainly see an increase in fines imposed by
the Information Commissioners Office against organisations who
fail to protect systems and information. Because companies have
such a wide variety of infrastructure spanning everything from
endpoints, data centres and cloud, this is not easy.
www.intelligentcio.com
What is needed is an end-to-end data protection platform that works
across all infrastructures. More importantly it must also encrypt the
data and ensure it stays encrypted until it’s needed. Appropriate
levels of encryption and anonymisation are a key requirement for
GDPR compliance. Encryption also acts as a last line of defence in the
event of a data breach, making data illegible when in the hands of
unauthorised parties.
While companies will certainly have made general improvements in
their preparations for the EU’s General Data Protection Regulation,
many will not be fully compliant with the regulation when it comes
into force.
While many will have sought the necessary authorisations from
EU citizens to store their data and use it for marketing etc, they will
undoubtedly lack the processes and protections demanded by the
legislation to ensure compliance and protect personally identifiable
information (PII) with which they have been entrusted.
Effective control and management of the IT infrastructure spanning
on-premises and cloud service providers for security and specifically
encryption, will be a critical component in meeting the legislative
requirements and minimising the risks to consumers.
Non-compliance can lead to fines of €20 million or 4% of
turnover, but this is far outweighed by the reputational damage
that can occur from a data breach where non-compliance has
heightened the risks for citizens. n
INTELLIGENTCIO
39