Thursday 13 October 2016

EU GDPR- Who Owns The Risk?

Guest Blogger: Stuart Peck
Cyber Security Strategist - ZeroDayLab

EU GDPR is descending upon businesses in 2018, and in our pre-Brexit state as a nation there is a question that seems to divide opinion almost as much as hard or soft Brexit:

EU GDPR- who ultimately owns the risk?

This was evident at an event I attended this evening, where the room was firmly divided on whether it was the CFO/CRO (the business), CIO/CISO (IT), that is responsible for driving EU GDPR compliance (and owning the risk), it made for an interesting debate.

There is a very small window to become EU GDPR compliant- and most executives I speak to think this is an IT initiative, when in reality its a business wide issue that not only directly affects current data privacy issues, but increases the impact of any serious data breach.

The risk to some very large corporate organisations that operate on a small profit margins is huge, where fines of 2-4% of global turnover can literally cripple a business, leading to share price, reputation and dividend payouts being negatively affected!

The significantly increased fines alone will bring headline grabbing figures. Had last year’s TalkTalk data breach occurred under the EU GDPR, the company’s fines could have amounted to a staggering £90-£100 million not the £400k fine issued by the ICO under the DPA.

This is also heightened further by a distinct lack of professionals who have enough experience in EU GDPR, or are willing to become a Data Privacy Officer.

Furthermore, the risk of highly sophisticated adversaries is not going away, in fact the EU GDPR will benefit enterprising cyber criminals even more, where successful attacks leading to data breaches could lead to a rise in shorting of public listed companies stock. A potential win win for cyber criminals - with the ultimate inside track to shorting stocks in companies they have breached!

Finally, if EU GDPR non-compliance is not on the company risk register (or even on the company agenda), then it might be time to perform a business impact assessment alongside your data privacy impact assessment, to stress test the organisations exposure to a serious breach post 2018.

So in summary who should own the risk? Ultimately the Data Privacy Officer should be driving EU GDPR compliance, but the risk of non compliance (or breach under EU GDPR), should be owned by the CFO or CRO, as this is a problem that directly affects the business, reputation, and financial stability as a whole.

Agree or disagree please comment- I would love to know your thoughts.