6 key questions on critical asset management
GDPR Massive fines for data breaches under the GDPR have hit the headlines, but businesses that do their best need not fear the worst, says Steve Durbin, Managing Director at the Information Security Forum.
What is the main aim of the GDPR?
“What the regulation doesn't believe it is going to do is prevent breaches from happening - what it is trying to do is reduce the impact of breaches and have companies do as much as they can to protect information so that our personal data isn’t compromised. With reform on the horizon, organizations planning, or already doing business in Europe, should get an immediate handle on what data they are collecting on European individuals, where it is coming from, what it is being used for, where and how is it being stored, who is responsible for it and who has access to it.”
What sort of fines can industries expect to pay for non-compliance?
“The penalties are deliberately draconian. What the European Union want to do is to show they take data breaches very seriously, and the potential fines of €20m or 4 per cent of global annual revenue provides the information commissioners with some very strong weapons to force businesses to take them very seriously too.”
How can companies avoid paying maximum fines?
“The Information Commissioner’s Office (ICO) in the case of a breach is going to be doing a couple of things. They will be looking at whether or not an organisation has understood the regulation as it applies to their business and that they put in place processes and made every reasonable effort to comply. If they have done, we are not going to see the very high-level fines. On the other hand, if the ICO come across an organisation that has ignored some of the requirements and doesn't have a clear plan to getting them implemented, then that is where we are going to see some of the higher end fines being levied.”
How can companies move towards compliance?
“The first thing you need to do is understand how the regulation applies to your business. Popular ways of doing this include hiring a third party, such as a law firm, to come in and see how the organisation stacks up currently, identifying any gaps, so that you can go about plugging them. Another way involves looking at how you currently transact business and asking how this relates to the requirements of the GDPR. For example, do you have the capabilities and controls that allow you to understand where data is being gathered? Can you ensure it is being gathered lawfully and that is handled in a transparent fashion? And do you have processes in place for when things go wrong? The weak link in all of this though, is people. Employees might inadvertently share data with third parties or store data on smartphones, which means training is essential.”
Is the GDPR only about big business?
“GDPR is more about how much information you are gathering and what you are doing with it that determines the applicability of the regulations. Events companies, for example, tend to be small businesses, but they gather all sorts of information about lots of people who come to their events. Thus, some small businesses certainly have to be aware of these regulations, and it is the ‘small guys’ who tend not to have resources in place to get these jobs done.”
Are there any upsides to the GDPR?
“What the GDPR does is allow us to stand back a bit and ask how we share the information we gather. Organizations will benefit from the uniformity introduced by the reform and will evade having to circumnavigate the current array of often-contradictory national data protection laws. There will also be worldwide benefits as countries in other regions are dedicating more attention to the defense of mission-critical assets. The GDPR has the potential to serve as a healthy, scalable and exportable regime that could become an international benchmark.”
The Information Security Forum (ISF) is an independent, not-for-profit association of the world’s leading organisations, dedicated to meeting the increasing demand for business-driven solutions to cyber security and risk management problems.
In addition, the ISF provides organisations with a full range of consultancy services to assist in the implementation of ISF tools and research addressing issues relating to governance, risk and compliance.