Friday 6 May 2016

EU GDPR - Now Data Privacy & Protection is More Than an IT Issue

Nick Prescot, Senior Information Security Manager

For many in the Infosec industry, this piece of EU legislation has been relatively warmly met and unlike the farming and the fishing industry, there haven't been large groups of Infosec people walking the streets of Whitehall in protest against EU legislation. There is little doubt that this is a 'game changer' in what it means to keep 3rd party safe. Not only will the data processor have the same obligations as the data controller but there are now fines that warrant the attention of the board.

Before the EU GDPR, the old data protection act meant that you could be fined up to £500k; from 25th Mary 2018 it will be up to 4% of global turnover. Everyone that I have talked to has been receiving this news with some mixed emotion, some see it as more budget others see it 'as yet another piece of EU red tape.' Not only this, but there is the requirement of Data breach notification. Whilst it is not compulsory, it will be questioned by the investigation authority why you didn't disclose the breach in good time. This somewhat reminds me of Rory Bremner's sketch of Michael Howard along the lines of, ' you don't have to tell anyone of a breach, but you'd be very brave to keep that quiet wouldn't you. I would tell people about the breach, but I'm not you am I?'

There is also the integrity issue of knowing where your PII data is because EU citizens will be able to ask where the data is and how it has been processed. This will be an interesting conundrum for Data Managers when they are dealing with structured and unstructured data. This will be another sea change in the way in which personal data is stored. 

The next big question that will be pondered amongst the businesses, is how to be compliant with the EU GDPR; mainly on the premise that if you're PCI DSS compliant then everything must be ok. Unfortunately, the PCI DSS hangover will mean that meeting the requirements of the EU GDPR is not a binary issue in the sense of you cannot be compliant or not compliant; the regulation expects processors of personal data to have a reasonable, proportionate and appropriate set of information security controls along with a regular process of conducting 'privacy impact assessments'. This means that companies will need to have a framework of information security controls in place that are regularly enforced. Naturally, for the cyber geeks amongst us ISO27001 will spring to mind but there are other industry best practice frameworks such as CoBIT and the ISF Standard of Good Practice. Once the framework is in place, it then needs to be monitored, enforced and measured as being in place. With this all being well, you won't have a problem but the $64,000 question is,  when there are breaches and companies negotiate themselves from a 4% fine to a 1% fine because they have all the controls in place, the right data breach notification plans in place and it was just bad luck that they were breached.

Until this is proved, I'm sure that you'll agree with the assumption that data privacy and protection is no longer just an IT issue but a business systems issue that requires focus, attention and a mitigation of risks from all areas of the business.

No comments:

Post a Comment