INSIGHT
GDPR: The Clock's Ticking
Time to get your ducks in a row
With almost half of UK companies reporting a cyber breach or attack in the last year*, tightening up data protection seems like a sensible idea.
Yet with less than a year until the implementation of the General Data Protection Regulation (GDPR), a leading security expert has warned many organisations preparing too slowly, despite the threat of breaches and punitive fines.
A risky strategy
Gayle McFarlane, a partner at international law firm Eversheds Sutherland, will share her expert legal perspective on GDPR at the Virgin Media Business Security Seminar at Manchester’s Etihad Stadium on 12 July. When Insights caught up with Gayle for an exclusive interview ahead of the event, she was quick to warn of the consequences of ignoring GDPR.
Gayle says: “As GDPR approaches, some organisations appear to be waiting to see if someone else will get done first. That is a very risky strategy. You can’t think, ‘I’m under the radar, nobody will take action against me.’ The ICO doesn’t look at it that way and under GDPR they can issue large Civil Monetary Penalties far beyond their current maximum of £500,000. Small businesses could receive fines of up to £17.5m, while large organisations can be fined up to 4% of annual global turnover.”
Don't panic - yet
That’s right. GDPR penalties could be so significant that organisations who breach it may struggle to pay them. However, even if your organisation has ignored GDPR until now, Gayle believes there is no reason to panic.
She says: “GDPR is designed to make us all think about data a bit more. If you want to become compliant, my first recommendation is to find out what data you have and then understand what your business is doing with it. That’s half the battle. Then you need to consider if some of the data should be deleted, or if any of your data processing should be changed or stopped. It is ultimately all about accountability. You need to be able to account for your data, why you have it and what you are doing with it.”
A new bill of rights
Gayle began as a privacy and data protection specialist 15 years ago in the early days of e-commerce. Back then control of personal data was much less stringent, and Gayle has watched a gradual tightening of legislation over the years.
Gayle says: “One key aspect of GDPR is that it gives individuals more rights and, importantly, control over their data. Organisations must look at their processes in order to comply with them. For example, the right to access information will be enhanced under GDPR. There is also the right to erasure, which some people may have heard of as the right to be forgotten. The ability to exercise this right only applies if certain criteria are met. If processing is based on having consent – the organisation have asked you if they can process your data – you have increased rights. You can withdraw that consent and the data can no longer be processed.
“If the processing of data is no longer necessary, individuals can ask organisations to stop. Similarly, if information is incorrect then you can ask for a change under the right to rectification. GDPR is making us think about each set of data and the rights that follow through.”
Secure from top to bottom
GDPR will also promote a security-aware culture within organisations and, given the number of breaches that are due to human error, Gayle is hugely supportive.
She says: “It’s important to make sure employees are trained and know not to take personal data home on a removable drive that gets dropped in a pub car park, or left on a train. Having your laptop stolen in a burglary from your home might not seem like your fault, but if it’s unencrypted and contains personal data, you could be in trouble. These scenarios are a big cause of breaches, so organisational security is really important.
“If your organisation suffers a breach and the ICO determines appropriate measures weren’t in place, regardless of whether it’s poor training or technology, a breach of legislation has occurred and a fine could follow.”
A win for everyone
While it’s easy to discount GDPR as just another layer of bureaucracy, Gayle believes its ultimate impact will be positive for organisations and individuals alike.
Gayle says: “It’s easy to focus on the negatives, but I prefer to think of the benefits. The whole purpose of GDPR is to improve the level of trust in businesses so that consumers can provide their data willingly. People won’t feel duped or worried that their information will be used in a harmful way. In my opinion, that’s a win for everyone.”
Gayle McFarlane will appear at the Virgin Media Business Security Seminar at the Etihad Stadium, Manchester, on 12 July. <Book tickets here>