The European Union is a controversial institution but it is one which is trying hard to bring data standards on both sides of the Atlantic into line. It is in this spirit that Varonis Systems welcomes the recent news that a common set of privacy standards will be applied to organisations across the entire European Union soon. The legislation will also make it an offence, punishable with a significant fine, for organisations not to notify their customers of significant data breaches.
The measures are being finalised within the European commission and they will have to be approved by the national governments so it will likely take two to four years before the measures come into effect.
Europe remains a vital market for North American companies. It is a staging post for the Middle Eastern and African markets and London is one of the most important financial capitals in the world. The proposals are designed to increase significantly the EU's powers to punish those who allow major data breaches to occur or who sell customer data to third parties without authorisation. They also aim to further protect information held by social networks and cloud computing services. Organisations will have 24 hours to notify the data protection authorities and the affected parties in cases where private data has been compromised. By making sure that the rules apply also to foreign groups' European subsidiaries, the new rules will force global companies to strengthen their data protection policies. All companies with more than 250 employees will be required to have dedicated staff to deal with data protection issues. The rules will give the EU similar powers and policing privacy to those it wields in competition matters - where it can impose fines of up to 10% of turnover for violations.
So, should we be horrified by European bureaucracy or beat the drum for watertight data protection? In our opinion the new rules are an excellent balance between the very real data privacy needs of citizens against the practical issues of managing data within the modern corporate environment.
Many IT security professionals have expressed concerns about the technical problems associated with managing, protecting and auditing access to their growing data stores. While these concerns are understandable, the reality is that with the correct technology and processes in place these issues can be efficiently solved.
Many organisations have been struggling with non-existent or limited permissions management, classification, and auditing capabilities included with their data stores, but new metadata framework technologies can provide intelligence, automation, and control across multiple platforms to allow C-level executives to sleep easy.
But just how many companies actually have the required technology and procedures in place? Not many is the truth. IT departments face significant challenges understanding where their sensitive data resides, and keeping authorisation up to date - making sure the right users have access to the right data resources where sensitive data is stored, like folders, sites, and mailboxes. Both are obviously essential - it's difficult to manage any asset that you can't locate, and as users move through an organisation changing roles they amass access to more and more data, and they often retain access to data they no longer need. Unless the processes to grant, review, analyse, and revoke access are automated and access is monitored and analysed, the organisation will be unable to maintain correct authorization, and unable to monitor access activity to look for likely threats.
The problem of the rise in unstructured data, i.e. the data which is increasing dramatically in everyone's corporate network, is one which has to be faced head-on. As far as unstructured data is concerned, the introduction of a single set of privacy standards for all EU territories is long overdue. The fact that this will be a complex migration for some multinationals is one which we should see as a welcome opportunity and not a dreaded challenge.
The key issue in the new rules is the requirement that any company maintaining personal information - be that customer records, internal human resources directories or any other list - will have to comply with the new rules, and be able to show how and why they are using personal data. This is something which is a service to the customer anyway, and should already be in place in any well-organised company.
There will be a lot of moaning and groaning back and forth across the pond about the new rules, but I predict that - as we have seen with the PCI DSS governance rules - after a short while, they will become the accepted business practice and part of the data protection and management landscape.