“The difficulty lies not so much in developing new ideas as in escaping from old ones” – John Maynard Keynes… In recent weeks, I’ve spoken with many executives about the impending arrival of the EU’s General Data Protection Regulation (GDPR). Frequently, these executives see GDPR as an IT matter. Too many of them – way too many, in fact – assume that their company is already ready, or that it can achieve compliance pretty quickly. They’re almost certainly wrong – and a few questions usually quickly confirm that view, writes Andrew Taylor.
Few have conducted any form of gap analysis and have no idea where they are now and the steps that they will need to take to be compliant in just over a year’s time. The evidence to suggest that they haven’t looked properly at the problem is that they’re always far too relaxed about their ignorance.
The GDPR isn’t a cyber security law: it’s a data protection law. It’s a ‘Business Risk’ issue. It belongs in the Boardroom. The UK data regulation agency, namely the Information Commissioner’s Office, has already stated that it will hold directors personally responsible for breaches under their watch. The Information Commissioner is on record as saying that directors should be prosecuted where they fail in their supervision. Under the GDPR, individuals must be trained and managed properly. Processes must be in place to ensure that this is done. Governance is a Board responsibility. It has nothing to do with the IT Department.
The only mention that technology receives in the GDPR is a reference to the fact that technology in place must be ‘state-of-the-art’ (whatever that moving feast might mean). The GDPR is, first and foremost, about people, process and governance. It’s about how companies go about collecting their data, how they process it and how they look after it, not about the tools they use to do all of that.
It’s not about expensive and complex software. We’ve found that, in some circumstances, such software may make it impossible for a business to comply with the law. That’ll be quite a lot of cash thrown straight into the bin, then!
Clearly, software is an important part of data protection, but it’s there to support the process. Unless the people and process issues are attended to, non-compliance and/or a breach is almost certain to be the result. The great majority of breaches have their genesis inside an organisation, usually because someone makes a mistake or does something malicious – both matters which should be prevented through effective governance and both matters which the regulators are likely to lay on the company.
How to ensure compliance
Essentially, in order to comply with the GDPR every company must know exactly what data they have, where it is, what they are doing with it and, crucially, make sure that they have the consent of the data subject (or other legal reason) to be doing it. Let’s face it, if you don’t know what you have – and most companies could not say exactly what personal data they hold – you don’t have a hope of complying with the other elements.
This means that you will not – we could argue cannot – have the consent of the data subject to be doing it. Just to add spice to the challenge, organised paperwork (HR, client files, etc) falls under this law. Failure to comply with the consent aspects of the GDPR can run into a 4% of turnover (or €20 million, whichever is the greater) fine.
Consent must be freely and knowingly given, cannot be open-ended and must be for a specific purpose. No catch-all, no pre-ticked boxes, no gobbledygook. In some cases, consent must be specific. Sensitive data and children’s data must be handled with additional protections. Minimisation is the general principle here.
If, on 25 May next year, you do not comply with this law, then – as stated – you run the risk of being fined up to 4% of group global turnover, not for being breached, but just for not being compliant. The Information Commissioner is in the process of hiring an investigation force now whose job will be to check that companies are compliant.
If you have a realistic plan and you’re actively working towards implementing it, the Information Commissioner’s investigators will likely look favourably upon you. If you have been tardy, lazy or, worsen still, wilfully decide to ignore the requirements of this law, the chances are that the outcome for companies and individual executives involved in the decision-making chain will be decidedly sub-optimal.
Make sure a gap analysis is carried out. Make a plan. Start moving now. Time is already short.
Andrew Taylor is CEO at BeCyberSure