General Data Protection Regulation (GDPR) is an impatient tiger. That is, it has many more teeth and much less patience than its predecessor, the comparative kitten that is the Data Protection Act. As the GDPR becomes effective in May 2018, in theory, most organisational boards, regardless of their sector and size, should therefore have considered the implications of its enactment and their level of exposure by now. But this is by no means the general picture; and failure to understand the implications of the ruling risks a thorough mauling from this tetchy big cat.
This is because of the explicit inclusion of an accountability requirement which signals a very clear intent that this ruling will be enforced. GDPR will also require us all to be able to show that we comply with the principles of the regulation. The implications here are not insignificant.
GDPR gives Data Subjects – that’s us – significant rights to demand how our data is managed (including a right to be forgotten). It imposes mandatory high tempo reporting of breaches and it also carries punchy fines for those organisations who fail to fulfil their obligations. These can be up to £20m or 4% of global turnover.
The risks to business are exacerbated by the fact that GDPR finds us in a dramatically more complex information environment than its predecessor. It is often said that the amount of data in the world doubles every two years. In addition to this, compromise tools are more accessible and the illicit market for personal information is booming. Meanwhile, and very significantly, society expects much more from data Controllers and Processors, Chief Information Security Officers (CISOs) and Information Security Managers (ISMs).
Curiously, it appears that it is not just micro businesses that have underestimated GDPR; it has also been overlooked by a number of organisations which one would expect to have thought very carefully about it indeed. GDPR will have different implications for different organisations, but regardless of what we do, how big we are or what sector we operate in, we all need to know some key facts about our data. We must know precisely what personal data is held, where it is and what plans are in place to access it. We also need to manage it correctly and ensure we provide the appropriate protection.
If you can honestly say you are confident that you have achieved that, then well done you. If not, then now is the time to act. This is a board level challenge, and if we evade our responsibilities, it is a pretty sure thing that we will be found out!
If you need help, our Virtual CISO service (VirtualCISOTM) has been developed to provide a cost effective bespoke portfolio of professional services supporting, resourcing and advising on all practical and strategic aspects of Information Security including GDPR compliance. We can provide the support you need to help you seize the initiative and keep your house in order.