Microsoft UK answer questions on GDPR
GDPR Hugh Milward, Senior Director, Corporate External and Legal Affairs at Microsoft UK answers some pressing questions on GDPR.
How important is it that companies have lawyers as well as compliance officers and engineers on the cybersecurity team?
"Cybersecurity is a ‘team sport’, and to be successful it needs multi-disciplinary participation to fulfil effective outcomes and corporate objectives. That includes engineers of all kinds, business process owners, compliance owners and appropriate legal counsel. Each person has an important role to play in planning, executing and reassessing a company’s cybersecurity strategy and as part of the Protect-Detect-Respond cycle of an event; for example, each person needs to understand how they will work as part of the team if a security incident occurs.
"Understanding legal and compliance requirements is a significant input into that. Lawyers and compliance officers not only help manage regulatory compliance risks and protect their organisations, but also enable their organisations to take advantage of the opportunities that new technologies offer to foster growth, innovation and long-term success.
"Technology providers also play an important role in providing tools, information and contracts that will enable lawyers and compliance officers to manage the task of compliance as they grapple with the demands of regulators, legal authorities and new legal requirements such as the GDPR."
What are the legal consequences of non-compliance with the GDPR? Do you think businesses are responding to the challenge effectively?
"GDPR represents a critical step forward in advancing individual privacy rights. Implementation of more advanced and comprehensive data policies is key to ensuring businesses comply with the use of personal data, and accommodating new requirements in transparency, recordkeeping and reporting. Understandably, these measures are underpinned by clear enforcement powers and significant consequences, threatening both financial and reputational harm to encourage adherence. Non-compliance runs the risk that companies will be subject to significant penalties, with fines of up to €20m or 4% of annual global turnover, whichever is greater. The regulation also empowers consumers and the bodies acting on their behalf, to bring civil litigation against breaching organisations.
"Despite Gartner predicting that less than 50% of all organisations will comply fully with the GDPR once enforcement begins on May 25, 2018, we are already seeing significant engagement from organisations who are preparing for enforcement. Businesses are using GDPR compliance as a springboard to digitally transform, build customer trust and optimise their performance and operations, by translating privacy regulations into agile business practices and innovative technology solutions. Data is now a critical asset for all organizations, and that the GDPR will drive a transformational shift in how they govern data
"Businesses that embrace a 'privacy by design' approach to improve their data policies, alongside implementing data governance tools, will be best prepared to prevent data breaches, report on compliance and run comprehensive data impact risk assessments."