We have just published a white paper on the General Data Protection Regulation (GDPR), the European Union (EU)’s new data protection regulation, released in May 2016 and with an implementation date of May 25, 2018. Every organization that collects or process personal data on EU residents must comply with the new regulation, regardless of where they are located, or they will face significant financial penalties (up to four percent of their annual revenue) and reputational damage.
Complying with the GDPR requires any organization with personal data on EU residents to implement both organizational and technology measures to remain in compliance. Organizational measures include appointing a Data Protection Officer, developing policies and training on handling personal and sensitive personal data, and an approach for executing a Data Protection Impact Assessment (DPIA). Technological measures for protecting data include capabilities like data classification, data loss prevention, encryption, managing consent more explicitly, data transfer limitations, and technologies that enable data subjects to exercise their rights to access, rectify, and erase personal data held by data controllers.
It is important to note that the GDPR is focused on the protection of personal data, not just its privacy. Complying with the protection mandate requires a higher degree of proactive and far-reaching effort on the behalf of organizations that control or process personal data.
The survey we conducted for this white paper among mid-sized and large organizations that will be subject to the GDPR found that the majority (58 percent) are not sufficiently familiar with the wide scope of the regulation and the penalties it includes. Only 10 percent believe their organizations are “completely ready” to comply with the requirements of the GDPR. That’s a serious problem, since the penalty for failure to comply with the GDPR could cost a large organization many millions or tens of millions of dollars.
You can download our just published white paper here.
When employees leave a company, whether voluntarily or involuntarily, it is quite common for them to take sensitive and confidential data with them. This paper examines this problem in detail and provides solutions for employers to mitigate the risks. For example:
- A survey published by Biscom in late 2015 found that 87 percent of employees who leave a job take with them data that they created in that job, and 28 percent take data that others had created. Among the majority who took company data with them, 88 percent took corporate presentations and/or strategy documents, 31 percent took customer lists, and 25 percent took intellectual property.
- A survey of 1,000 employees in the United States and Europe found that one in five had uploaded sensitive and confidential corporate data to an external cloud service specifically for the purpose of sharing it with others.
As just one example of data theft by departing employees, in September 2016 the US Office of the Comptroller of the Currency (OCC) detected the November 2015 theft of more than 10,000 records by a retiring employee that may have exposed personal information about OCC employees.
Here are some of the important takeaways from a white paper we recently published on this topic:
- Employee turnover is a fact of life: the typical organization in the United States, for example, can expect that 24 percent of its employees will leave each year, although some companies in the Fortune 500 experience much higher turnover[i].
- Employees who leave their employers, regardless of the reason for their departure, often take with them sensitive and confidential information, such as intellectual property or trade secrets, that belongs solely to their employer.
- The theft of this information can damage a company in a variety of ways, including putting them at risk of a regulatory violation, forcing them to take legal action against former employees, harming their competitive position, and negatively impacting their revenue.
- To reduce the risk of employees taking information with them when they leave, employers should establish detailed and thorough policies and procedures focused on ensuring visibility into employee practices, limiting employee access to data, requiring encryption of sensitive data, managing devices properly, ensuring that data is backed up and archived properly, requiring the use of enterprise apps (since these apps and any associated offline content can be remotely wiped, even on personally managed devices), and ensuring that IT has access to all corporate data to which it should have access (some confidential data, such as HR data, should not be available to IT in all cases.)
To support these policies and procedures, organizations should evaluate and deploy various technology solutions. Technologies that should be considered, but not all of which need to be deployed, include content archiving, backup and recovery, file sharing and collaboration, encryption, mobile device management, employee activity monitoring, data loss prevention, logging and reporting, virtual desktops and other solutions that will minimize the possibility of employees misappropriating corporate data upon their departure.
You can download the white paper here.