June 7, 2016

EU’s new privacy laws are here – now what?

Markus Melin

Head of Tieto Security Services, Tieto

It is far from certain what the detailed impacts of  the new EU privacy legislation will turn out to be in practice, but one thing is for sure: now is the  time to figure out what customer data your organization holds and exactly where that data is stored. This is an effort that will not go to waste no matter what. Unfortunately, it’s probably more difficult than you think.

The European Commission has been preparing its General Data Protection Regulation, or GDPR, for years. The regulation has now gone into effect and unlike the preceding directive dating from 1995 it is binding all member states regardless of national ratification. All organisations located in or operating within the EU must therefore comply after a two-year transition period at the latest.

The GDPR represents  a major change in how privacy of individuals is taken into account and in fundamentally changes the way companies look at cyber security. It aims to strengthen and unify data protection for individuals within the European Union, and also addresses export of personal data outside the EU. Companies failing to comply may face hefty sanctions, in extreme cases even a fine equaling 4 per cent of the annual worldwide turnover of the preceding financial year. A scary scenario, no?

For regular citizens and consumers, GDPR is without a doubt an improvement. But for companies and other organizations it also means a lot of work, not only with the information systems, but also the associated processes and even training of their personnel.

At the moment, practical implications of the new regulation are unclear and will remain so for some time. In brief: nobody knows what exactly is going to happen, a not-completely-unfamiliar situation with a new EU legislation. We need to wait to get actual interpretations and applications of the new legislation.

Don’t wait, be proactive

Regardless of the uncertainty around the impacts of GDPR, we strongly suggest one action to be taken right away: start surveying and detecting the customer data stored and handled within your organisation. Waiting and seeing is not a smart thing to do at this moment. Find out how much and what kind of data you have, where it is, how it is used, how it changes over time, and who has access to it.

Some model organisations may have all this data already in perfect order. But for most, the emergence of new - sometimes ad-hoc - repositories and local “development” copies is a fact of life. And one  that has a nasty habit of reappearing over time.

So in reality, detecting your customer data is probably harder than you think, with cloud services, mobility, and hybrid users adding to the challenge. But the effort is worth it. Not only because of GDPR, but because it has a healthy effect to your organization’s data handling practices at large. 

A proactively-minded CEO and CIO should take this as tough love received from the European Union. Certainly it challenges everyone to make better sense of their most valuable data, that about their customers and employees.

We will cover GDPR topics in this blog in the future when the picture becomes clearer, so stay tuned. In the meanwhile, please download our whitepaper that tells what we do at Tieto Security Services.

Tieto also provides GDPR assessment services. Contact paivi.m.makela@tieto.com for further details

Stay up-to-date

Get all the latest blogs sent you now!