GDPR: ‘Fresh Thinking’ and ‘A New Paradigm’

Andrew Taylor

Andrew Taylor

“The difficulty lies not so much in developing new ideas as in escaping from old ones” – John Maynard Keynes… In recent weeks, I’ve spoken with many executives about the impending arrival of the EU’s General Data Protection Regulation (GDPR). Frequently, these executives see GDPR as an IT matter. Too many of them – way too many, in fact – assume that their company is already ready, or that it can achieve compliance pretty quickly. They’re almost certainly wrong – and a few questions usually quickly confirm that view, writes Andrew Taylor.

Few have conducted any form of gap analysis and have no idea where they are now and the steps that they will need to take to be compliant in just over a year’s time. The evidence to suggest that they haven’t looked properly at the problem is that they’re always far too relaxed about their ignorance.

The GDPR isn’t a cyber security law: it’s a data protection law. It’s a ‘Business Risk’ issue. It belongs in the Boardroom. The UK data regulation agency, namely the Information Commissioner’s Office, has already stated that it will hold directors personally responsible for breaches under their watch. The Information Commissioner is on record as saying that directors should be prosecuted where they fail in their supervision. Under the GDPR, individuals must be trained and managed properly. Processes must be in place to ensure that this is done. Governance is a Board responsibility. It has nothing to do with the IT Department.

The only mention that technology receives in the GDPR is a reference to the fact that technology in place must be ‘state-of-the-art’ (whatever that moving feast might mean). The GDPR is, first and foremost, about people, process and governance. It’s about how companies go about collecting their data, how they process it and how they look after it, not about the tools they use to do all of that.

It’s not about expensive and complex software. We’ve found that, in some circumstances, such software may make it impossible for a business to comply with the law. That’ll be quite a lot of cash thrown straight into the bin, then!

Clearly, software is an important part of data protection, but it’s there to support the process. Unless the people and process issues are attended to, non-compliance and/or a breach is almost certain to be the result. The great majority of breaches have their genesis inside an organisation, usually because someone makes a mistake or does something malicious – both matters which should be prevented through effective governance and both matters which the regulators are likely to lay on the company.

How to ensure compliance

Essentially, in order to comply with the GDPR every company must know exactly what data they have, where it is, what they are doing with it and, crucially, make sure that they have the consent of the data subject (or other legal reason) to be doing it. Let’s face it, if you don’t know what you have – and most companies could not say exactly what personal data they hold – you don’t have a hope of complying with the other elements.

This means that you will not – we could argue cannot – have the consent of the data subject to be doing it. Just to add spice to the challenge, organised paperwork (HR, client files, etc) falls under this law. Failure to comply with the consent aspects of the GDPR can run into a 4% of turnover (or €20 million, whichever is the greater) fine.

Consent must be freely and knowingly given, cannot be open-ended and must be for a specific purpose. No catch-all, no pre-ticked boxes, no gobbledygook. In some cases, consent must be specific. Sensitive data and children’s data must be handled with additional protections. Minimisation is the general principle here.

If, on 25 May next year, you do not comply with this law, then – as stated – you run the risk of being fined up to 4% of group global turnover, not for being breached, but just for not being compliant. The Information Commissioner is in the process of hiring an investigation force now whose job will be to check that companies are compliant.

If you have a realistic plan and you’re actively working towards implementing it, the Information Commissioner’s investigators will likely look favourably upon you. If you have been tardy, lazy or, worsen still, wilfully decide to ignore the requirements of this law, the chances are that the outcome for companies and individual executives involved in the decision-making chain will be decidedly sub-optimal.

Make sure a gap analysis is carried out. Make a plan. Start moving now. Time is already short.

Andrew Taylor is CEO at BeCyberSure

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts