New consumer protection rules on data come into force next year. While some are preparing for the implications, it seems too many still have their heads buried deep in the sand. Liz Booth reports-¦
Y2K may have started it off but since then, a series of acronyms seem to have ruled our lives. Now there is a new one to get our business heads around -- GDPR.
A little like the UK's Bribery Act, it is a set of rules that will affect us all but which, it appears, have yet to really impact our thinking.
The lawyers and technical experts alike, however, are warning that we need to wise up -- and wise up fast.
The EU's General Data Protection Regulation (GDPR), to give it its full title, comes into effect in the middle of next year, with wide-ranging rules and stiff penalties for those who fail to comply.
And it is not just about complying as a business; every organisation has to ensure compliance throughout its supply chain -- effectively bringing the whole world into play.
However, even with the threat of fines of up to €20m or 4% of global turnover (whichever is higher), a recent survey by DocsCorp reveals that two thirds of SME business owners have either no plan in place to tackle, or no knowledge of the legislation that could drastically affect their operations.
It suggests this means either a steep learning curve, with expensive, last-minute compliance and training for employees, or fines if businesses fail to comply by the mid-2018 deadline.
Of the businesses surveyed, 47% admit to handling sensitive information like names, addresses and bank details, which might be transferred between computers through metadata and would therefore be required to comply with the new data handling legislation.
As part of the new legislation, business owners take on more stringent responsibility for handling of metadata. But with the survey revealing that 30% of employers do not even have an awareness of metadata, businesses will need to act fast to ensure that staff are brought up to speed.
This rises to 67% for businesses within the finance sector, where management is particularly unaware of the additional information being sent along with normal files, despite one fifth of all workers in the sector claiming to send in excess of 1,000 attachments every week.
Some 58% of businesses surveyed allow for remote working; employees are encouraged to work from home, coffee shops and hot desks in off-site locations, rather than lose billable hours travelling between meetings or conferences.
The risk of losing removable storage including USB sticks and external hard drives, portable devices and laptops, or accessing unencrypted Wi-Fi access points commonly used throughout the city, means remote workers will be under increased pressure to ensure the safe transfer of data and scrubbing of sensitive metadata.
The insurance industry itself is just as subject to the rules as any other sector. Robert Maddox, an associate at Debevoise & Plimpton, warns: "It is paramount the insurance industry is fully prepared to meet these new obligations, not least because it is a high risk sector.
"For example, the insurance industry is a prime target for cyberattacks because its large-scale data aggregation practices combine highly sensitive personal information in one location, as Anthem found out when it was hacked and around 80 million of its customers' records compromised.
"Indeed, insurers can be treasure troves for hackers, offering near-complete individual profiles containing names, addresses, dates of birth, financial information, employer details, health records and, in some cases, all of that information for entire families."
For the insurance sector, the potential range of situations covered is vast, he warns, adding: "It might include: a placing broker accidentally emailing a single applicant's health information; the wrong underwriter or a claims handler leaving hard copy claim forms on a train; a hacker exfiltrating millions of customers' personal details from an underwriter; or a sophisticated cyberattack."
One of the key tenets of the new legislation is that consumers will have greater rights to see what information is being held about them and can also request that such information is deleted.
Worryingly for the insurance sector, a survey from SAS reveals that a third of consumers polled by SAS say they will ask insurers to delete their personal data under the new EU data protection legislation.
The research by SAS finds that almost half of UK adults intend to activate these new personal data rights, while 15% intend to do so in the month the law is ratified.
This is a high figure given the general lack of awareness about the legislation among businesses, let alone consumers. Once that awareness grows, all businesses will have to have the right processes in place to meet consumer demands -- or face those high penalties.
Time to get prepared-¦
- Two thirds of UK business owners have not heard about, or do not have any plans in place to comply with, the new GDPR legislation affecting security of metadata.
- 30% of all managers polled do not know what metadata is.
- 67% of managers in the finance sector admit to not knowing about metadata or the sensitive information it might contain.