EU Data Protection reform and its implications on remote access

EU Data Protection DirectiveIn December 2015 the EU Commission put forward a reform of Data protection regulation that aims to “to make Europe fit for the digital age.” The regulation will take effect on May 25, 2018.

“And so what?” you might ask. I contend that this regulation will have much more impact on society worldwide than the effect of the Millennium challenge, Y2K. Back then, the main worry was that airplanes might fall out of the sky when the fireworks would light up on January 1st, 2000. As you know, the most dire scenarios did not take place and normalcy quickly return.

The Data Protection Directive (or EUDPD) will have much more lasting effects because it dictates that personal information must be protected and that privacy is to be thought in to system design of all IT solutions marketed within the European Economic Area (EU, Norway, Iceland and Lichtenstein). If an American enterprise is active in this area or if relevant information flows between offices with locations in the US and Europe – such as Netop, with headquarters in Denmark and offices in Portland and Chicago – it will be covered by the regulation.

The effects will be long-lasting because of the level of economic liability that enterprises can suffer if they do not comply with the regulation. Try this one for size: administrative fines up to €20,000,000 ($22 million) or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The main aspects of the EU Data Protection regulations are ready access for individuals to their own data and the right to be forgotten. But the regulations also direct that privacy protections need to be built into systems by default and by design. It stipulates data authorities’ right to be notified if personal data has been breached within 72 hours.

Over the last couple of years, European enterprises have taken a more laid back attitude towards compliance with international security regulations (see ISO 27001) when it comes to remote access and remote control. Such enterprises have taken the stance that it doesn’t matter whether emote access sessions are logged, whether their remote control tools can require user confirmation, or that multi-factor authentication is being used.  They seem content to live with the potential consequences of having a less-than-secure approach to remote access.

This will change when the enterprises can face fines in the millions of euros for such negligence. Management and boards of directors will have to emphasize data protection as a strategic area.  With over 80% of data breaches conducted by external actors through remote access points, a strong and strategic approach to remote access will be critical for businesses.

Old virtues like encryption, authentication and documentation will again be hot stuff for the solution architects. This is where Netop’s four-pillar security approach – including strong encryption, central user access control and documentation of individual remote sessions (logging and recordings) – will be increasing relevant.

Leave a Reply