With GDPR just around the corner (May 2018), the new EU rules are probably something you want to start thinking about, and companies could risk serious vulnerability in the face of data protection. But do the rules require you to hire a data protection officer? Richard Henderson, global security strategist at Absolute, provides Finance Monthly with the expert tips you’ve been looking for.
In just over a year the EU’s General Data Protection Regulation (GDPR) comes into effect, with part of it stipulating that some organisations will need a data protection officer (DPO). Impacted companies that haven’t already assessed their data protection technology, policies and processes against the regulation’s mandates, need to take action now to address any shortcomings.
The regulation may have been four years in the making, and amended throughout the process, but what has been clear from the start is that it intends to define an era where lax data management is not tolerated. The letter and spirit of the regulation reflects an expectation that data protection should be a priority, not an afterthought. Individuals’ rights around their data will be strongly upheld and companies found wanting will face tough punishment.
In this, the financial services sector has some experience. Despite being responsible for a relatively small percentage of the total security breaches reported to the Information Commissioner’s Office (ICO) in 2015-16, it attracted a third of the financial penalties the ICO pursued. With fines for data protection non-compliance set to rise significantly under GDPR (up to four per cent of annual global turnover), the industry cannot afford not to take note and to prepare.
The overall aim of GDPR is to make EU privacy laws fit for the 21st century. While there is a major emphasis on enforcement it also introduces mandatory data breach reporting requirements, in some cases within a challenging timeframe of 72 hours.
The role of the data protection officer
The requirement to appoint a data protection officer (DPO) is summarised as being in the case of “public authorities,” “organizations that engage in large scale systematic monitoring” and “organizations that engage in large scale processing of sensitive personal data”.
Organisations meeting these requirements will need to make someone responsible for data protection. It will be extremely important to have the right person for the job so legal advice should be considered when hiring.
The DPO must have expertise on data protection law and practices, is expected to keep their knowledge up to date and to report directly to the highest level of management. In short, this is not a responsibility to be taken lightly or to be tagged onto an existing role where the necessary level of expertise, knowledge and responsibility does not already exist. It is a professional role, expected to be accorded a sufficient level of seniority, with standing in the firm and the resources to maintain and build on knowledge.
DPOs will need to be supported by a thorough assessment and (where necessary) overhaul of policies, processes and procedures to ensure GDPR-readiness. A big part of their job will be ensuring the right technology is in place to prevent data breaches, while maintaining and reporting on security.
Enough is not good enough
The cyber-attack threat landscape continually changes, forcing businesses to evolve their security strategies and policies to keep up. The risk of non-compliance with GDPR is simply too high, not just in terms of potential financial impact but also corporate reputational damage from compromised data. A DPO will be central to safeguarding the organisation’s reputation, maintaining the right technology and ultimately, preventing a large-scale data breach.
GDPR recognises that situations have changed immeasurably since its preceding 1995 Data Protection Directive when the internet was still in its relative infancy. Today, larger volumes of data are not only created and stored but also widely transferred and held on mobile devices.
GDPR had to bring data protection enforcement up to date for the modern day. By setting the fines level for infringements at the level it has, it is sending out a clear message that ‘enough’ is not good enough. Companies need to make data protection part of the fabric of their organisation or pay the price for not doing so.
The price could be hefty indeed for UK business. If cybersecurity breaches stay at the level reported in 2015, fines could rise from £1.4 billion to £122 billion, according to the Payment Card Industry Security Standards Council.
Companies with limited IT knowledge and expertise may feel that punishments meted out after the event should be balanced by guidance and instruction on breach prevention, so that they can prevent falling foul of the regulation. While it is rightly incumbent on companies to adequately secure data, the options available to them to do this are matched only in their number and variety by the methods hackers have for getting in.
EU GDPR is incontrovertibly punitive but companies looking at it in full must see the opportunity the regulation gives to them to avoid incurring penalties.
By interpreting what the measures require companies to do, they can take action to keep data safe and thereby avoid non-compliance. This includes putting in place processes to provide data to subjects if they ask for it and to remove records if requested when it’s no longer necessary to hold them. It includes potentially putting in place the data protection officer and – perhaps above all – mandates ‘privacy by design’, meaning that data protection has to be built in to systems when they are designed rather than afterwards as an add-on.
This last measure is – if any were needed – the clearest indication of the regulator’s intention to instil into all companies a culture of data protection, one that drives systems and processes rather than the other way round.
A designated DPO dedicates a level of time and expertise that is required now for robust data protection. After all, 72 hours to report a breach is a short space of time and staying on top of policies and processes around data retrieval, access and removal is a big job. Organisations need the capabilities in place to manage data across their entire device estate. A single point of contact with specified responsibilities stands to help the company at the same time as helping the regulator.
Above all else, a dedicated data protection role will help companies prevent data issues, safeguard their reputation and avoid potential non-compliance.
For one particular part of the financial services sector, GDPR presents a specific opportunity. Strict new rules should mean the cyber insurance market will grow. With breaches set to be more widely reported under the new regulations, more data will be available to insurers to set premiums so we are likely to see an increase in the number and range of cyber insurance offerings.
Companies concerned by the length and breadth of the EU GDPR should step back and consider that, in simple terms it obliges organisations to put in place security measures appropriate to the risks. If a data breach occurs it will be hard for that organisation to argue that it had done this. Therefore, the goal will be then what it is now – to have in place the resource, policies, processes and technology to prevent breaches.
Companies should reassess how they detect suspicious activity on their network and consider options for persistent connectivity and encryption for systems, devices and data. The threat of higher fines certainly focuses attention on data protection but in reality, it must always be a top priority for the financial services sector.
No one wants to have their good company name smeared in the headlines because of a breach or incident that could have been avoided. It’s up to all of us in the security space to ensure that we are doing everything we can to keep the data entrusted to our protection safe from harm. We owe it to ourselves, our shareholders, and the public who trust us to steward their most sensitive of data.