With EU Data Protection Regulation on the horizon, will companies be ready?

A lot has changed since 1995, the last time a major European law was passed on the subject of data protection (the Data Protection Directive 95/46/EC). For example, mobile devices are ubiquitous, and it’s not unusual to carry two or even three at a time. Meanwhile, sensitive company data is moving outside the safety of the traditional corporate security perimeter. Employees email documents to themselves, access data from personal smartphones and tablets, and store data in the cloud. Major data breaches are commonplace today, putting customers at risk of identity theft and financial loss, and businesses at risk of losing customer and investor loyalty. European businesses are not prepared to meet regulatory requirements outlined in the EU Data Protection Regulation, due to be enacted by the EU parliament in 2015. That’s the story told by a survey of 1,500 office workers in the UK, France and Germany, conducted by Sophos. Although a large majority of poll respondents (84%) agree that stricter data protection requirements are needed, most lack confidence that their employers are compliant (77%), and many do not know what type of data protection their companies currently have in place.

During a roundtable discussion about the survey, our security experts talked about the current state of data protection and how the new requirements might impact businesses. Anthony Merry, director of product management in the data protection group at Sophos, said companies have to get a better understanding of not just what regulations require, but what data protection actually is. “Many of the companies I talk to still do not understand what data protection is, why businesses need to do it and why it is important, and that needs to change,” he said, according to ComputerWeekly.

Some of the proposed changes to the EU Data Protection Directive include huge fines for non-compliant companies in the event of a data breach — as much as 5% of global turnover, or €100m, whichever is higher. Compared to relatively lax data protection laws in the United States, such punitive laws could be seen as harmful to businesses.

However, if companies are encrypting their data — on disks, mobile devices, storage drives, and in the cloud — they don’t have to worry as much. “If data is encrypted, even if IT systems are breached, companies will not be liable under the law,” Anthony said. Unfortunately, businesses in the countries we surveyed have a long way to go to complete data protection. According to our survey, only 62% of UK companies are encrypting laptops, along with 36% in France and 56% in Germany. Encryption of mobile devices is even farther behind: 41% in the UK, compared to 21% in France and 32% in Germany.

does-your-company-encrypt-650

Learn more about data protection

Sophos SafeGuard Encryption solves the major challenge of managing encryption across multiple platforms, devices, and cloud environments. Users and IT staff can share data safely between Windows, Mac and mobile devices – securing data wherever it lives and wherever it is sent. For more information about SafeGuard Encryption, get our free whitepaper Managing BitLocker With SafeGuard Enterprise (registration required). Or download our Encryption Buyers Guide to learn more about how to choose the best encryption solution for your needs.