Will new EU laws end 'deafening hush' over data breaches?

New requirement to report breaches could thrust cybersecurity up boardroom agenda and boost consultancy opportunities for channel, according to security suppliers

The newly approved EU data protection rules have "real teeth" and will thrust cybercrime further up the boardroom agenda, say security service providers.

The General Data Protection Regulations (GDPR), which were given final approval by the European Parliament last Thursday, aim to "give citizens back control of their personal data" and harmonise data protection rules across Europe.

The new regime, which replaces current data protection rules dating back to 1995, will see firms fined up to four per cent of annual turnover for non-compliance.

Crucially, companies will now in many cases be required to notify authorities of a data breach.

Under current UK laws, only communications services providers are obliged to give notification of personal data breaches to the Information Commissioner's Office.

Etienne Greeff, CEO of security services firm SecureData, said the GDPR's impact "should not be underestimated".

"It has real teeth," Greeff (pictured) said, adding that the two years firms have to become compliant "isn't a lot of time".

"Breach notification, which they have in Germany but not elsewhere, will raise the profile of cybercrime," he said. "At the moment, telecoms firms have to acknowledge when they are breached but other companies don't. There is a huge opportunity to advise businesses on how to get up to speed."

A deafening hush

Ian Kilpatrick, chairman of IT security distributor Wick Hill, said the GDPR's introduction would help end the "deafening hush" surrounding data breaches in Europe.

"The EU is not a breach-free zone; it's an admission-free zone. People are losing data over here and not telling anyone," Kilpatrick (pictured) said.

"Organisations that should know better have not taken simple steps to secure their company's data, and it needed something like this to get people to step up to the mark. This will help people consider at a boardroom level the necessity of taking the right steps."

According to Article 31 of the GDPR, breached firms must alert authorities within 72 hours, disclosing information such as the approximate number of data subjects implicated.

However, Article 32 states that there are some circumstances where notification will not be required, for instance if the firm had implemented "appropriate protection measures" in relation to the personal data affected by the breach, or if it were to involve "disproportionate effort".

Additionally, SMEs will not be obliged to report all data breaches to individuals, "unless the breaches represent a high risk for their rights and freedoms".

Vendors 'jumping on back' of GDPR

Complicating the picture still further, the official announcement on GDPR last week included a line saying the directive's provisions will apply in the UK and Ireland to only a "limited extent" due to their special status regarding justice and home affairs legislation".

Rob Swainson, sales director of security VAR Blue Cube, said he was still digesting how the new rules will affect UK customers.

"We are still trying to establish where the boundaries are. We are trying to digest it in a holistic manner rather than jumping on the hype, and are still reviewing the legalities," he said.

"It will only make organisations take security more seriously and will help to drive business. The only minor caveat to that is that vendors have a habit of using events such as this to throw product at the issue. GDPR is more than just a product issue; it's about policies, procedures, and people and we have seen a little bit of vendors trying to jump on the back of it."

Any firm marketing goods and services to EU residents is subject to the GDPR - which has been four years in the making - regardless of its location.

James Miller, managing director of security VAR Foursys, urged businesses to start early on revamping how they handle online data.

"It took a number of years, but the European Parliament is adopting GDPR. This is no doubt a serious 'yay' moment for EU citizens, who will now have greater control over how their data is stored, shared and used," Miller (pictured) said.

"But it is going to be a tougher road for companies and organisations. Many will need to revamp how they handle online data or face very expensive consequences. My advice? Don't wait until the last moment to review your data handling."