When it comes to GDPR, there are typically two kinds of approaches that firms take. There are those with a strong, proactive approach to compliance, seeking to adhere to the principles of GDPR. They are usually motivated by best practice or have undertaken a risk analysis and know their usage of data must be protected. Such firms have typically invested considerable time, resources and budget in becoming and staying compliant, and are often happy to share their experience and practices with others - even competitors. Though it’s an ongoing task, they are generally at low risk of running afoul of regulation.
In contrast, the second type of approach sees firms scrambling to check their compliance position. These are the firms which asked, “What’s the least I can do to avoid a fine?” when GDPR was on the horizon. Perhaps they took the risk that regulators would adopt a laissez-faire attitude to compliance. Or worse, they might have taken a wait-and-see approach and did nothing. As the Information Commissioner’s Office (ICO)’s first fines for GDPR infringements became public in the media, these firms should rightly be alarmed and worried they’re next. But this should not be a surprise to anyone paying attention.
Coming under scrutiny
While the ICO has been approachable, actively working to provide guidance to organisations to help them achieve compliance, it’s also clear that they’re determined to ensure the law is upheld. That might take a while – a year or longer – but it does eventually get there.
Both of this summer’s biggest cases - Marriott and British Airways - saw the firms involved allege they were victims of cybercrime in a defence against the high penalties. These can be as high as 4% of their annual revenue.
Global hotel group Marriott said an attacker had been able to access the guest reservation database of its Starwood division since 2014, copying and encrypting the information of about 327 million guests.
British Airways, meanwhile saw its site falsified, enabling attackers to harvest details of about 500,000 customers. Their poor security arrangements ensured that a variety of information was compromised. As a result, the ICO leveraged the biggest penalty it has ever handed out and the first to be made public under GDPR rules.
Whose responsibility is it?
The regulation itself is very clear on where responsibility lies: data controllers must ensure that “appropriate technical and organisational measures” are used to protect data. Each firm must decide what those “appropriate measures” are.
Attacks are inevitable, but the question is, has the organisation done everything they could to defend against attacks? Can these measures stand up against a judgement by the regulator?
According to the official advice(1), “The controller must make the necessary assessments and reach the appropriate conclusions. The question that the supervisory authority must then answer is to what extent the controller “did what it could be expected to do” given the nature, the purposes or the size of the processing, seen in light of the obligations imposed on them by the Regulation.”
It's clear that the ICO is prepared to take often headline-generating action in response to GDPR breaches. This should serve as a huge wake-up call to firms who are sitting on the side-lines hoping that they won’t be discovered. For those who have practices in place, they should be reviewing and assessing to ensure they are truly ‘doing enough’. These practices must be defensible in court and not just the bare minimum.
It’s a matter of ‘when, not if’ the typical firm is targeted by cybercriminals, or even impacted by an employee’s unfortunate mistake. Security measures need to be put in place to minimise their impact. But that’s not to say that security automatically equals compliance. The bare minimum is not enough to protect businesses from attacks. The effects of being caught short go beyond GDPR penalties. A successful attack can put companies out of business, and leave their reputation destroyed in the eyes of customers. By learning from the lessons of others, firms can make sure they’re insulated from the threat of regulators and malicious actors alike.
- Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (adopted October 2017)
About Duncan: Duncan Brown is Forcepoint’s Chief Security Strategist for EMEA, and leads the firm’s C-level engagement in the region. He advises customers on business strategy, and how this can be enabled and accelerated through the appropriate application of technology. He acts as adviser and coach to CISOs, CIOs and board executives on risk assessment and mitigation, and aids in the translation of desired business outcomes into technology solutions. He is also a conduit for customer feedback to Forcepoint and helps drive product strategy to meet customer demand. His list of clients includes enterprises, central banks and government organizations. Duncan is a self-confessed GDPR junkie and an advocate of pragmatic privacy in the workplace.
Duncan was formerly IDC’s vice president, European Security Practice, at IDC EMEA and led the firm’s market-leading security research program in Europe. He established and led IDC’s pioneering coverage of the global impact of the GDPR and NIS Directive on technology companies and their customers. His analysis and opinions are widely sought by industry leaders and investors, while his comments on industry trends and developments frequently appear in the leading business and trade publications.
Written by Duncan Brown, EMEA Security Strategist, Forcepoint.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus