Nick Prescot, Senior Information Security Manager
For many in the Infosec industry, this piece of EU
legislation has been relatively warmly met and unlike the farming and the
fishing industry, there haven't been large groups of Infosec people walking the
streets of Whitehall in protest against EU legislation. There is little doubt
that this is a 'game changer' in what it means to keep 3rd party safe. Not only
will the data processor have the same obligations as the data controller but
there are now fines that warrant the attention of the board.
Before the EU GDPR, the old data protection act meant that
you could be fined up to £500k; from 25th Mary 2018 it will be up to 4% of
global turnover. Everyone that I have talked to has been receiving this news
with some mixed emotion, some see it as more budget others see it 'as yet
another piece of EU red tape.' Not only this, but there is the requirement of
Data breach notification. Whilst it is not compulsory, it will be questioned by
the investigation authority why you didn't disclose the breach in good time.
This somewhat reminds me of Rory Bremner's sketch of Michael Howard along the
lines of, ' you don't have to tell anyone of a breach, but you'd be very brave
to keep that quiet wouldn't you. I would tell people about the breach, but I'm
not you am I?'
There is also the integrity issue of knowing where your PII
data is because EU citizens will be able to ask where the data is and how it
has been processed. This will be an interesting conundrum for Data Managers
when they are dealing with structured and unstructured data. This will be
another sea change in the way in which personal data is stored.
The next big
question that will be pondered amongst the businesses, is how to be compliant with
the EU GDPR; mainly on the premise that if you're PCI DSS compliant then
everything must be ok. Unfortunately, the PCI DSS hangover will mean that
meeting the requirements of the EU GDPR is not a binary issue in the sense of
you cannot be compliant or not compliant; the regulation expects processors of
personal data to have a reasonable, proportionate and appropriate set of
information security controls along with a regular process of conducting
'privacy impact assessments'. This means that companies will need to have a
framework of information security controls in place that are regularly
enforced. Naturally, for the cyber geeks amongst us ISO27001 will spring to
mind but there are other industry best practice frameworks such as CoBIT and the
ISF Standard of Good Practice. Once the framework is in place, it then needs to
be monitored, enforced and measured as being in place. With this all being
well, you won't have a problem but the $64,000 question is, when there are breaches
and companies negotiate themselves from a 4% fine to a 1% fine because they
have all the controls in place, the right data breach notification plans in
place and it was just bad luck that they were breached.
Until this is proved, I'm sure that you'll agree with the
assumption that data privacy and protection is no longer just an IT issue but a
business systems issue that requires focus, attention and a mitigation of risks
from all areas of the business.
No comments:
Post a Comment