In future, companies must take steps to better protect their data – if they don’t they will be subject to higher penalties. On the European Data Protection Day, January 28th, 2018, we are going to be focusing on the EU General Data Protection Regulation: what are the benefits from a company perspective? And what measures do companies need to take?
Names and email addresses of customers and business partners, sickness records and criminal records, account and credit card numbers – the list of personal data is long. Nearly every single company collects and stores personal data. According to a survey undertaken by the Bitkom, Germany’s digital association, personal data plays a fundamental role in about 40 percent of companies. Every third business specifically analyses personal data in order to improve their products, customer relationships and services, and more insurers, utility company and financial institutes are following suite.
This type of data will be better protected in future: the deadline for implementing the new General Data Protection Regulation (EU-GDPR) is 25th May 2018. In all EU member states “all data, that identifies a natural person (article 4, 1, GDPR), are to be captured, processed, stored, used and deleted in a standardized manner”. The guidelines apply to all companies that operate within the EU, as well as companies outside of the EU, handling any personal data on EU citizens. Previously data protection laws have been set on a national level.
How does this affect companies?
Companies need to adapt their processes across the organization. That sounds like a lot of work; and it is. It is not just customer and business partner contact data, car registration numbers, account and credit card numbers, but it also information relating to employees such as time sheets, personnel numbers, certificates, references, sick notes and many other sources of data. The company is forced to change their routines and to adapt their software. Doing nothing is not an option (unless an organization has several millions to spare).
If companies don’t protect the data, they’ll have to pay up: up to 20 million Euros or 4 percent of turnover.
Companies can only use data for clearly defined purposes and they are only permitted to collect the minimum amount of data needed, which then needs to be deleted after a defined period of time. Departments require new access rights and authorizations blueprints. Routines for locking, deleting and archiving data need to be looked at. For the processing of data it is recommended to adopt pseudonymization and even anonymization. Moreover it may be necessary to re-write certain contracts as in future the declaration of consent will be more specific and there will be additional information and reporting requirements to follow. And that’s not even everything.
If companies choose to do nothing, they will face penalties of up to 20 million Euros or 4 percent of global turnover, whichever is the greatest. That is a lot higher than any penalties for failing to comply with national regulations. There is also an increased risk of receiving a penalty; there will be more penalties inflicted for failing to comply with regulations. One example, the recording of processing operations, which covers internal processes, is already mandatory for some companies. However, from May onwards a company will be fined up to 10 million euros or 2 percent of turnover if they do not have one and according to Bitkom the majority still do not have one in place.
he message is clear: in Europe, data protection is more important than ever. Especially as database attacks are on the increase. Almost two thirds of companies questioned, across all industries in Germany, Great Britain and France, have registered at least one breach of data protection rights in the past two years, according to a study by the cyber security organization Proofpoint. Many of the current security regulations in place today were put in place before the internet was so widespread
Cyber criminals love financial institutions, insurance companies and health providers
Criminals focus their attacks on financial institutes: over the past two years a quarter of the companies questioned have suffered a cyber attack. Medical data is even more lucrative for the criminals: on the cyber criminal black market medical data is worth 10 times more than credit card numbers. It’s a shame, then, that health providers still tend to work with old IT systems.
Insurance companies are also at risk, as they handle sensitive data. Such companies depend on maintaining the trust of their customers. If a company does not treat their customers’ data with the utmost care, there could be a negative effect on business. Insurance CEOs worldwide are aware of this fact: around 79 percent of them understand that the threat of cyber attacks is detrimental to business growth (source PricewaterhouseCoopers).
Any organization that has not yet looked into GDPR needs to get a move on. The prize: competitive advantage
Despite knowing all the facts and threats, the implementation of GDPR is slow across the board. One in three companies admit they have paid little attention to the new regulation so far. “For companies that have not yet started preparing, it will soon be too late,” according to Susanne Dehmel, Manager of Law and Security at Bitkom. “Burying one’s head in the sand and waiting it out can be very expensive.”
Many appear to be overwhelmed, more than half of those questioned admit they cannot assess the amount of work involved. Many fail to realise that GDPR not only involves a lot of work, but also provides an opportunity. As well as providing an opportunity for standardized competition conditions thanks to integrative EU regulations, it also provides some concrete advantages.
Centralizing data can be more easily managed, analysed and automated. Pseudonymized data can be used in future for testing and can be passed on to third parties – and be used for purposes not originally intended by the customer. Fraud can be more easily detected, as the patterns become easier to identify, and customer queries can be handled more quickly. The less data stored, the less storage space is required, and the lower the risk of becoming a victim of cyber attacks.
Last but not least, there will be an opportunity to invest in something priceless: trust. People appreciate it if they feel they can trust a company with their personal data. Companies that give back control of personal data to their customers, and that offer the opportunity to become unknown again, by deleting their personal footprint internally, will achieve a massive competitive advantage for themselves.
The European Day of Data Protection is a welcomed event when we will be reminded that we need to get our act together up and implement the new regulations.
To implement processes and technical requirements quickly in line with the new regulations, half of all companies have decided to work with experts in this area. If you would like more information on how you can ensure data is handled in line with GDPR, across various platforms, then please get in touch. For more information go to: https://www.convista.com/eu-dsgvo.
 A representative survey, conducted on behalf of Bitkom, of 507 individuals responsible for data protection (data protection personnel, Directors, IT managers) from companies with more than 20 employees, across all industries in Germany.
 A study by the cyber security institute from 22nd to 29th September 2017. A sample of 1,500 IT decision makers from companies with at least 200 employees, located in Great Britain, France and Germany. At least 500 participants from each company were questions from diverse industries.